[keycloak-user] Session Logout with Offline Access Token

Marek Posolda mposolda at redhat.com
Wed Mar 29 13:28:42 EDT 2017


On 29/03/17 13:43, Benjamin Zaitlen wrote:
> Any thoughts on this?
>
> --Ben
>
> On Fri, Mar 24, 2017 at 5:20 PM, Benjamin Zaitlen <quasiben at gmail.com>
> wrote:
>
>> Hi All,
>>
>> I'm having some trouble with sessions, clients, and offline access
>> tokens.  Let's say I have a client (APP 1) and I've logged in with OIDC.  I
>> now have a refresh_token and session for APP 1. Using the auth code flow I
>> can generate an offline_access token (refresh_token) for a second client:
>> APP 2.   When I look in *realms/myrealm/account/sessions, *I see one
>> session but two clients.  At first I thought, great!  I was able to get the
>> auth code flow working and I generated a refresh token for a second client.
>>
>> But then disaster set in, when I logged out of the APP 1 client with the
>> URL: *protocol/openid-connect/logout.* I was logged out the session which
>> included the* second client* and thus the offline access token for APP 2
>> was effectively revoked.
>>
>> I've seen a handful of JIRAs related to offline access tokens and logouts
>> but I think they don't quite cover this usecase. I have two questions:
>>
>> 1. Is it possible, using the auth code flow, to generate a refresh token
>> in separate session. That is can APP 1 generate an offline_access token for
>> APP 2 in a separate session without re-authenticating?
Once you logged to your APP 2, you have both online session, which is 
part of SSO login (hence you are able to browse APP 2 with your browser) 
and offline session. After login to APP 2, you need to somehow save your 
offline token for later use, which is responsibility of your APP 2.

SSO logout will clear your browser session, but offline token will be 
still valid and can be used for further refreshes. Offline token will 
also survive server restart.

You can take a look at the example in the keycloak-examples distribution 
under "preconfigured-demo/offline-access-app" , which also does logout 
of browser session (or server restart), but offline token is still valid.
>>
>> 2. Can I logout a specific client for a session by passing additional
>> parameters in the logout URL ?
Nope, Logout is always global SSO logout as it clears the userSession on 
the Keycloak side. Assume that when the "global" userSession is not 
cleared, then the single logged-out client will be still always able to 
login anytime due to SSO session, hence logout would be a bit pointless 
though?

Marek
>>
>> Thanks,
>> --Ben
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list