[keycloak-user] API not protected immediately after logout
Stian Thorgersen
sthorger at redhat.com
Thu Mar 22 01:27:35 EDT 2018
Bruno - can you comment on this please? I can't see why when the Node.js
adapter is used to secure a service it should create a cookie at all.
On 21 March 2018 at 15:40, José Miguel Gonçalves <jose.goncalves at inov.pt>
wrote:
> The 'connect.sid' token is set by the Node.js server example code at
> https://github.com/keycloak/keycloak-quickstarts/tree/
> latest/service-nodejs
> The issue is related with that example code, so I was trying to get info
> on what needs to be changed/corrected on it, to correctly secure a Node.js
> REST API with Keycloak.
> The Keycloak's documentation for the Node.js Adapter (
> http://www.keycloak.org/docs/latest/securing_apps/index.
> html#_nodejs_adapter) is in sync with the example code, so I assume that
> something is missing on the logout procedure...
>
>
> On 03/21/2018 02:21 PM, Stian Thorgersen wrote:
>
> I don't know what the connect.sid cookie is. Sounds like there's some sort
> of logged-in session between your app and the nodejs app that doesn't have
> anything to do with keycloak.js
>
> keycloak.js clears tokens on logout. You should invoke the node.js
> services with the bearer token. There's no need to have a session cookie
> between the app and service.
>
> On 21 March 2018 at 12:02, José Miguel Gonçalves <jose.goncalves at inov.pt>
> wrote:
>
>> Digging a little bit more on this issue, I found that the session is
>> still alive after logout because of a 'connect.sid' cookie set in the
>> browser that was written by the Node.js server. As this cookie has the
>> HttpOnly flag set, it can not be cleared on the client side.
>>
>> So my question is, what needs to be changed on the example code
>> ('service-nodejs' and/or 'app-jee-html5') to terminate the session (and
>> clear 'connect.sid' cookie) immediately after I press the logout button?
>>
>>
>> On 21-03-2018 00:17, José Miguel Gonçalves wrote:
>>
>> Shouldn't this be a task for the JavaScript adapter, i.e., the logout
>> method should not perform this automatically for us?
>>
>> It seems to me that tokens clearing should be transparent to the app
>> user, because if tokens are implicitly created on the login procedure, they
>> should also be implicitly cleared on the logout.
>>
>> On 20-03-2018 20:43, Stian Thorgersen wrote:
>>
>> Unless the service calls the token introspection endpoint it won't know
>> that the access token has expired until it actually expires. That is the
>> cause of the slight delay from logout. The app should really clear the
>> tokens after logout.
>>
>> On 20 March 2018 at 20:07, José Miguel Gonçalves <jose.goncalves at inov.pt>
>> wrote:
>>
>>> Hi,
>>>
>>> To test a scenario of a Node.js RESTfull service secured by Keycloak
>>> (3.4.3.Final), I've setup a Node.js server and a HTML5 client using
>>> example code from https://github.com/keycloak/keycloak-quickstarts
>>> ('service-nodejs' and 'app-jee-html5').
>>> While everything seems fine at first glance, there is an issue after I
>>> logout on the app.
>>> After logging out, I see that I continue to have access to the protected
>>> endpoints for some short time (about 1 minute after logout).
>>> Am I missing some configuration or is this a bug on Keycloak?
>>>
>>> Regards,
>>> José Gonçalves
>>>
>>
>>
>
More information about the keycloak-user
mailing list