[keycloak-user] API not protected immediately after logout

Stian Thorgersen sthorger at redhat.com
Wed Mar 21 10:21:05 EDT 2018 

I don't know what the connect.sid cookie is. Sounds like there's some sort
of logged-in session between your app and the nodejs app that doesn't have
anything to do with keycloak.js

keycloak.js clears tokens on logout. You should invoke the node.js services
with the bearer token. There's no need to have a session cookie between the
app and service.

On 21 March 2018 at 12:02, José Miguel Gonçalves <jose.goncalves at inov.pt>
wrote:

> Digging a little bit more on this issue, I found that the session is still
> alive after logout because of a 'connect.sid' cookie set in the browser
> that was written by the Node.js server. As this cookie has the HttpOnly
> flag set, it can not be cleared on the client side.
>
> So my question is, what needs to be changed on the example code
> ('service-nodejs' and/or 'app-jee-html5') to terminate the session (and
> clear 'connect.sid' cookie) immediately after I press the logout button?
>
>
> On 21-03-2018 00:17, José Miguel Gonçalves wrote:
>
> Shouldn't this be a task for the JavaScript adapter, i.e., the logout
> method should not perform this automatically for us?
>
> It seems to me that tokens clearing should be transparent to the app user,
> because if tokens are implicitly created on the login procedure, they
> should also be implicitly cleared on the logout.
>
> On 20-03-2018 20:43, Stian Thorgersen wrote:
>
> Unless the service calls the token introspection endpoint it won't know
> that the access token has expired until it actually expires. That is the
> cause of the slight delay from logout. The app should really clear the
> tokens after logout.
>
> On 20 March 2018 at 20:07, José Miguel Gonçalves <jose.goncalves at inov.pt>
> wrote:
>
>> Hi,
>>
>> To test a scenario of a Node.js RESTfull service secured by Keycloak
>> (3.4.3.Final), I've setup a Node.js server and a HTML5 client using
>> example code from https://github.com/keycloak/keycloak-quickstarts
>> ('service-nodejs' and 'app-jee-html5').
>> While everything seems fine at first glance, there is an issue after I
>> logout on the app.
>> After logging out, I see that I continue to have access to the protected
>> endpoints for some short time (about 1 minute after logout).
>> Am I missing some configuration or is this a bug on Keycloak?
>>
>> Regards,
>> José Gonçalves
>>
>
>

More information about the keycloak-user mailing list