[keycloak-user] Keycloak logout not working for “bearer-only” application exposing REST services

Sebastien Blanc sblanc at redhat.com
Sun Jan 21 05:11:10 EST 2018


Hi,

Which version of Keycloak are you using ? Which adapters are you using for
the client and bearer-only apps ? We need this info. And yes sharing your
project (through github for instance) could be really helpful.



On Sun, Jan 21, 2018 at 10:17 AM, Dan Nemes <dan.nemes at ymail.com> wrote:

> Hello,
> I am unable to logout an user. The logout works for a "confidential"
> applications but it doesn't for a "bearer-only" application (the REST
> services are still accessible after logout).
> I have the following configuration:
>
>    - I have one "database" client application defined in Keycloak having
> access type "bearer-only" (created with the intent of exposing REST web
> services protected by Keycloak based on user roles)
>    - I have one "rest_service" client application defined in keycloak
> having access type "confidential" (created with the intent of logging in
> users and allowing access to the "bearer-only" REST services after a
> successful login). The below described workflow is implemented in this
> application using REST web services
> I am performing the following steps:
>    - An http GET request is performed on URL http://localhost:8180/
> auth/realms/demo/protocol/openid-connect/auth which redirects the user to
> the login page handled by Keycloak
>    - The user performs the login using his credentials (using the
> credentials of a user defined in Keycloak)
>    - Keycloak redirects the user to the "redirect_uri" which was passed in
> step 1. In this step Keycloak also provides as request parameters the
> "state" and "code" values.
>    - After the user has been redirected back to the application I exchange
> the "code" received in step 3 for a token doing a POST request on
> http://localhost:8180/auth/realms/demo/protocol/openid-connect/token which
> is done successfully
>    - After the access token is available I proceed to access the
> "bearer-only" REST web services.
> note: the REST web services exposed by the "bearer-only" service are not
> accessible unless the user has been logged in and it has the correct "role"
> assigned to it.Problem: As stated at the start of the post the user is
> still able to access the "bearer-only" REST web services after the logout
> has been done. The only thing that seems to work is the logout from the
> "confidential" application (the user is not able to access the application
> unless he logs in again).If I perform the logout of the user then the REST
> web services exposed by the bearer-only application are still accessible.
> In the Keycloak server I get the following WARN message: " Some clients
> have been not been logged out for user adminuser in demo realm:
> rest_service"I tried implementing the logout in three ways:
>    - A redirect to URL http://localhost:8180/auth/realms/demo/protocol/
> openid-connect/logoutpassing in the redirect_uri and client_id parameters
>    - A POST request to http://localhost:8180/auth/
> realms/demo/protocol/openid-connect/logoutpassing in the Authorization
> Bearer in the header and the client_id, refresh_token, client_secret and
> redirect_uri
>    - A REST service exposed by the "bearer-only" service which does the
> following method call: HttpServletRequest request.logout()
> Neither of the above methods is working.PS: I did not want to go in to
> many details because even so the post is long enough. If I missed something
> please tell me and I will provide the additional information (if possible I
> can also attach the actual projects)
> Thank you,Dan Nemes
>
> |  | Virus-free. www.avg.com  |
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list