[keycloak-user] KEYCLOAK SAML logout not working as documented
Björn Sonntag
bjoern.sonntag at t-online.de
Mon Jun 17 17:25:45 EDT 2019
Hello Manuel,
please refer the documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter <https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter>. When you work within a servlet filter it will act as the same.
In case of a java servlet filter client adapter the backchannel logout work different! Instead of invalidating the session, you will be marked as logged out.
In your case, implement the logout inside your code which is in the application server like the web application and NOT in an external filter.
With best regards,
Bjoern
> Am 17.06.2019 um 18:56 schrieb Manuel Waltschek <manuel.waltschek at prisma-solutions.at <mailto:manuel.waltschek at prisma-solutions.at>>:
>
> Hello KC Community,
>
> I am still trying to find out how to properly logout from keycloak using the kc adapter on wildfly10.
> Documentation says
>
> 3.1.8. Logout
>
> There are multiple ways you can logout from a web application. For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO, i.e. http://myapp?GLO=true <http://myapp/?GLO=true>. This will log you out if you have an SSO session with your browser.
> As HttpServletRequest.logout() in Undertows implementation io.undertow.servlet.spec.HttpServletRequestImpl checks isInvalidateSessionOnLogout returns false in my case it does not much.
>
> @Override
> public void logout() throws ServletException {
> SecurityContext sc = exchange.getSecurityContext();
> sc.logout();
> if(servletContext.getDeployment().getDeploymentInfo().isInvalidateSessionOnLogout()) {
> HttpSession session = getSession(false);
> if(session != null) {
> session.invalidate();
> }
> }
> }
>
> Im calling HttpServletRequest.logout() in a ServletFilter implementation, but it does not end the keycloak session and I can still reach protected ressources. There is no backchannel request as I would expect.
> When I do the following:
>
> private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp)
> throws ServletException, IOException {
> String contextPath = req.getContextPath();
> req.logout();
> resp.sendRedirect(contextPath + "?GLO=true");
>
> it somehow works, but sends another AuthnRequest before sending the LogoutRequest. Then the LogoutResponse ist posted to myapp/saml again which leads to http Status code 403 forbidden.
>
> Please also see:
>
> https://issues.jboss.org/browse/KEYCLOAK-2191 <https://issues.jboss.org/browse/KEYCLOAK-2191>
>
> and https://lists.jboss.org/pipermail/keycloak-user/2017-July/011207.html
>
>
> Regards,
>
>
> [Logo]to m
>
> Manuel Waltschek BSc.
>
> +43 660 86655 47<tel:+436608665547>
> manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
> https://www.prisma-solutions.com
>
> PRISMA solutions EDV-Dienstleistungen GmbH
> Klostergasse 18, 2340 Mödling, Austria
> Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
> <image001.png>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list