[keycloak-user] API not protected immediately after logout

Thu Mar 22 03:37:41 EDT 2018

Sorry if I didn't see your message before. My e-mail was disabled to
this mailing list for some reason which I have no idea.

I would really appreciate if you file a Jira with everything you reported 
here. In this way, I can investigate later, when I have some time if 
there's a bug in the quickstarts.

Thank you!

On 2018-03-22, Stian Thorgersen wrote:
> Bruno - can you comment on this please? I can't see why when the Node.js
> adapter is used to secure a service it should create a cookie at all.
> 
> On 21 March 2018 at 15:40, José Miguel Gonçalves <jose.goncalves at inov.pt>
> wrote:
> 
> > The 'connect.sid' token is set by the Node.js server example code at
> > https://github.com/keycloak/keycloak-quickstarts/tree/
> > latest/service-nodejs
> > The issue is related with that example code, so I was trying to get info
> > on what needs to be changed/corrected on it, to correctly secure a Node.js
> > REST API with Keycloak.
> > The Keycloak's documentation for the Node.js Adapter (
> > http://www.keycloak.org/docs/latest/securing_apps/index.
> > html#_nodejs_adapter) is in sync with the example code, so I assume that
> > something is missing on the logout procedure...
> >
> >
> > On 03/21/2018 02:21 PM, Stian Thorgersen wrote:
> >
> > I don't know what the connect.sid cookie is. Sounds like there's some sort
> > of logged-in session between your app and the nodejs app that doesn't have
> > anything to do with keycloak.js
> >
> > keycloak.js clears tokens on logout. You should invoke the node.js
> > services with the bearer token. There's no need to have a session cookie
> > between the app and service.
> >
> > On 21 March 2018 at 12:02, José Miguel Gonçalves <jose.goncalves at inov.pt>
> > wrote:
> >
> >> Digging a little bit more on this issue, I found that the session is
> >> still alive after logout because of a 'connect.sid' cookie set in the
> >> browser that was written by the Node.js server. As this cookie has the
> >> HttpOnly flag set, it can not be cleared on the client side.
> >>
> >> So my question is, what needs to be changed on the example code
> >> ('service-nodejs' and/or 'app-jee-html5') to terminate the session (and
> >> clear 'connect.sid' cookie) immediately after I press the logout button?
> >>
> >>
> >> On 21-03-2018 00:17, José Miguel Gonçalves wrote:
> >>
> >> Shouldn't this be a task for the JavaScript adapter, i.e., the logout
> >> method should not perform this automatically for us?
> >>
> >> It seems to me that tokens clearing should be transparent to the app
> >> user, because if tokens are implicitly created on the login procedure, they
> >> should also be implicitly cleared on the logout.
> >>
> >> On 20-03-2018 20:43, Stian Thorgersen wrote:
> >>
> >> Unless the service calls the token introspection endpoint it won't know
> >> that the access token has expired until it actually expires. That is the
> >> cause of the slight delay from logout. The app should really clear the
> >> tokens after logout.
> >>
> >> On 20 March 2018 at 20:07, José Miguel Gonçalves <jose.goncalves at inov.pt>
> >> wrote:
> >>
> >>> Hi,
> >>>
> >>> To test a scenario of a Node.js RESTfull service secured by Keycloak
> >>> (3.4.3.Final), I've setup a Node.js server and a HTML5 client using
> >>> example code from https://github.com/keycloak/keycloak-quickstarts
> >>> ('service-nodejs' and 'app-jee-html5').
> >>> While everything seems fine at first glance, there is an issue after I
> >>> logout on the app.
> >>> After logging out, I see that I continue to have access to the protected
> >>> endpoints for some short time (about 1 minute after logout).
> >>> Am I missing some configuration or is this a bug on Keycloak?
> >>>
> >>> Regards,
> >>> José Gonçalves
> >>>
> >>
> >>
> >

-- 

abstractj