[keycloak-user] keycloak does not send backchannel logout requests to Admin URL
mn at fstrk.io
mn at fstrk.io
Tue Nov 12 07:01:58 EST 2019
I see, thanks!
But I created a catch-all REST endpoint that would show any requests
coming from keycloak. And it shows none.
Maybe you are executing logout in a different way than me? I just
redirect the user to a logout URL:
http://xxxxx:com/auth/realms/fasttrack/protocol/openid-connect/logout
<http://ec2-52-90-230-56.compute-1.amazonaws.com:9090/auth/realms/fasttrack/protocol/openid-connect/logout>
12.11.19 10:16, Leonid Rozenblyum пишет:
> The adapter creates REST endpoints to listen to the logout event.
> Suppose there are 2 apps under SSO. You execute log-out from one of them.
> Another one is receiving backchannel call from Keycloak about the
> log-out event to immediately terminate session.
> Otherwise the 2'nd app will know about session invalidation only after
> next request to keycloak (e.g. for refreshing a token).
>
> I've been using Keycloak Spring Security Adapter 7.0.1 with Keycloak
> 7.0.1 however it still contained a bug for Single Logout that's why I
> had to promote a fix for https://issues.jboss.org/browse/KEYCLOAK-10266.
>
> Until keycloak 8 is released I had to apply a workaround of custom
> HttpSessionManager registration.
>
>
> On Tue, Nov 12, 2019 at 6:09 AM mn at fstrk.io <mailto:mn at fstrk.io>
> <mn at fstrk.io <mailto:mn at fstrk.io>> wrote:
>
> Anyway, if you've made this work, please specify the versions of
> the libraries you used; I will find a Java friend to put them
> together, and then I'll look at HTTP requests issued and implement
> them in Python :)
>
> 11.11.19 23:06, Leonid Rozenblyum пишет:
>> Well since Spring Security adapter is used inside Java client
>> software to secure communication with Keycloak, and you're
>> developing your software in Python - it seems to be another
>> problem...
>>
>> According to the docs:
>>
>>
>> *Admin URL*
>> For _Keycloak specific_ client adapters, this is the callback
>> endpoint for the client. The Keycloak server will use this URI to
>> make callbacks like pushing revocation policies, performing
>> backchannel logout, and other administrative operations. For
>> Keycloak servlet adapters, this can be the root URL of the
>> servlet application. For more information see Securing
>> Applications and Services Guide.
>>
>> It looks like Python OIDC library is not keycloak-specific, so
>> Admin URL is NOT an option to set up backchannel logout.
>>
>> On Mon, Nov 11, 2019 at 9:41 PM mn at fstrk.io <mailto:mn at fstrk.io>
>> <mn at fstrk.io <mailto:mn at fstrk.io>> wrote:
>>
>> I would love to try it, but I am a Python guy and I am not
>> sure how to figure out Keycloak internals :) is there anyway
>> you can point me to look for the instructions on how to do it?
>>
>>
>>
>> 11.11.19 22:27, Leonid Rozenblyum пишет:
>>> Ok, I see.
>>> But do you use Spring Security adapter in your application?
>>> If yes, a workaround for KEYCLOAK-10266
>>> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible
>>> even before 8.0.0 release.
>>>
>>> On Mon, Nov 11, 2019 at 6:48 PM mn at fstrk.io
>>> <mailto:mn at fstrk.io> <mn at fstrk.io <mailto:mn at fstrk.io>> wrote:
>>>
>>> I am using the Docker version, and 8.0.0 has not been
>>> released in Docker yet:
>>> https://hub.docker.com/r/jboss/keycloak/tags
>>>
>>> so I guess the only option for me is wait for the 8.0.0
>>> Docker release then.
>>>
>>>
>>> 11.11.19 17:56, Leonid Rozenblyum пишет:
>>>> Hi. What adapter are you using?
>>>> Spring Security adapter had a bug which was recently
>>>> fixed and the fix should be part of 8.0.0
>>>> https://issues.jboss.org/browse/KEYCLOAK-10266
>>>>
>>>> On Mon, Nov 11, 2019 at 6:14 AM mn at fstrk.io
>>>> <mailto:mn at fstrk.io> <mn at fstrk.io <mailto:mn at fstrk.io>>
>>>> wrote:
>>>>
>>>> I created a client in Keycloak and set up a test
>>>> admin URL
>>>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60
>>>> (this is a
>>>> webhook testing site).
>>>>
>>>> After that, I performed an OpenID login via this
>>>> client, and then sent a
>>>> logout request to Keycloak.
>>>>
>>>>
>>>> I did this a couple of times, and tried two ways of
>>>> logging a user out:
>>>>
>>>> - redirecting to
>>>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>>>
>>>> <http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout>
>>>>
>>>> - force logging out of the user via Keycloak admin
>>>> interface:
>>>> http://prntscr.com/pv1v76
>>>>
>>>> The user indeed gets logged out. However, in both
>>>> of these cases I don't
>>>> see any requests coming out from Keycloak. The
>>>> testing website shows
>>>> zero registered requests.
>>>>
>>>>
>>>> How do I make this work?
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Mikhail Novikov
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> --
>>> Михаил Новиков
>>> Ведущий разработчик
>>> fstrk.io <http://fstrk.io>
>>>
>>
>> --
>> Михаил Новиков
>> Ведущий разработчик
>> fstrk.io <http://fstrk.io>
>>
>
> --
> Михаил Новиков
> Ведущий разработчик
> fstrk.io <http://fstrk.io>
>
--
Михаил Новиков
Ведущий разработчик
fstrk.io
More information about the keycloak-user
mailing list