[keycloak-user] On the gateway, the Keycloak adapter (KeycloakWebSecurityConfigurerAdapter) skips the token after the user logs off
Al
navptr at bk.ru
Wed Jul 24 14:37:02 EDT 2019
On the gateway, the Keycloak adapter (KeycloakWebSecurityConfigurerAdapter) skips the token after the user logs off:
1. User entered the application. Session is active. Remember the token (Authorization: bearer)
2. The user exits the application (keycloak.logout()). No session in keycloak.
3. Make a request to auth/realms/realm/account with the saved token. No access. Good.
4. Make a request to the resource through the gateway (KeycloakWebSecurityConfigurerAdapter) with the saved token - there is access. Bug!?
Shouldn't this check the KeycloakWebSecurityConfigurerAdapter by default?
How to make gateway not to pass the token after keycloak.logout()?
----------------
More information about the keycloak-user
mailing list