[keycloak-user] API not protected immediately after logout

José Miguel Gonçalves jose.goncalves at inov.pt
Wed Mar 21 10:40:02 EDT 2018 

The 'connect.sid' token is set by the Node.js server example code at 
https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-nodejs
The issue is related with that example code, so I was trying to get info 
on what needs to be changed/corrected on it, to correctly secure a 
Node.js REST API with Keycloak.
The Keycloak's documentation for the Node.js Adapter 
(http://www.keycloak.org/docs/latest/securing_apps/index.html#_nodejs_adapter) 
is in sync with the example code, so I assume that something is missing 
on the logout procedure...

On 03/21/2018 02:21 PM, Stian Thorgersen wrote:
> I don't know what the connect.sid cookie is. Sounds like there's some 
> sort of logged-in session between your app and the nodejs app that 
> doesn't have anything to do with keycloak.js
>
> keycloak.js clears tokens on logout. You should invoke the node.js 
> services with the bearer token. There's no need to have a session 
> cookie between the app and service.
>
> On 21 March 2018 at 12:02, José Miguel Gonçalves 
> <jose.goncalves at inov.pt <mailto:jose.goncalves at inov.pt>> wrote:
>
>     Digging a little bit more on this issue, I found that the session
>     is still alive after logout because of a 'connect.sid' cookie set
>     in the browser that was written by the Node.js server. As this
>     cookie has the HttpOnly flag set, it can not be cleared on the
>     client side.
>
>     So my question is, what needs to be changed on the example code
>     ('service-nodejs' and/or 'app-jee-html5') to terminate the session
>     (and clear 'connect.sid' cookie) immediately after I press the
>     logout button?
>
>
>     On 21-03-2018 00:17, José Miguel Gonçalves wrote:
>>     Shouldn't this be a task for the JavaScript adapter, i.e., the
>>     logout method should not perform this automatically for us?
>>
>>     It seems to me that tokens clearing should be transparent to the
>>     app user, because if tokens are implicitly created on the login
>>     procedure, they should also be implicitly cleared on the logout.
>>
>>     On 20-03-2018 20:43, Stian Thorgersen wrote:
>>>     Unless the service calls the token introspection endpoint it
>>>     won't know that the access token has expired until it actually
>>>     expires. That is the cause of the slight delay from logout. The
>>>     app should really clear the tokens after logout.
>>>
>>>     On 20 March 2018 at 20:07, José Miguel Gonçalves
>>>     <jose.goncalves at inov.pt <mailto:jose.goncalves at inov.pt>> wrote:
>>>
>>>         Hi,
>>>
>>>         To test a scenario of a Node.js RESTfull service secured by
>>>         Keycloak
>>>         (3.4.3.Final), I've setup a Node.js server and a HTML5
>>>         client using
>>>         example code from
>>>         https://github.com/keycloak/keycloak-quickstarts
>>>         <https://github.com/keycloak/keycloak-quickstarts>
>>>         ('service-nodejs' and 'app-jee-html5').
>>>         While everything seems fine at first glance, there is an
>>>         issue after I
>>>         logout on the app.
>>>         After logging out, I see that I continue to have access to
>>>         the protected
>>>         endpoints for some short time (about 1 minute after logout).
>>>         Am I missing some configuration or is this a bug on Keycloak?
>>>
>>>         Regards,
>>>         José Gonçalves
>>>
>

More information about the keycloak-user mailing list