[keycloak-user] keycloak does not send backchannel logout requests to Admin URL

mn at fstrk.io mn at fstrk.io
Tue Nov 12 07:01:58 EST 2019


I see, thanks!

But I created a catch-all REST endpoint that would show any requests 
coming from keycloak. And it shows none.

Maybe you are executing logout in a different way than me? I just 
redirect the user to a logout URL:
http://xxxxx:com/auth/realms/fasttrack/protocol/openid-connect/logout 
<http://ec2-52-90-230-56.compute-1.amazonaws.com:9090/auth/realms/fasttrack/protocol/openid-connect/logout> 




12.11.19 10:16, Leonid Rozenblyum пишет:
> The adapter creates REST endpoints to listen to the logout event.
> Suppose there are 2 apps under SSO. You execute log-out from one of them.
> Another one is receiving backchannel call from Keycloak about the 
> log-out event to immediately terminate session.
> Otherwise the 2'nd app will know about session invalidation only after 
> next request to keycloak (e.g. for refreshing a token).
>
> I've been using Keycloak Spring Security Adapter 7.0.1 with Keycloak 
> 7.0.1 however it still contained a bug for Single Logout that's why I 
> had to promote a fix for https://issues.jboss.org/browse/KEYCLOAK-10266.
>
> Until keycloak 8 is released I had to apply a workaround of custom 
> HttpSessionManager registration.
>
>
> On Tue, Nov 12, 2019 at 6:09 AM mn at fstrk.io <mailto:mn at fstrk.io> 
> <mn at fstrk.io <mailto:mn at fstrk.io>> wrote:
>
>     Anyway, if you've made this work, please specify the versions of
>     the libraries you used; I will find a Java friend to put them
>     together, and then I'll look at HTTP requests issued and implement
>     them in Python :)
>
>     11.11.19 23:06, Leonid Rozenblyum пишет:
>>     Well since Spring Security adapter is used inside Java client
>>     software to secure communication with Keycloak, and you're
>>     developing your software in Python - it seems to be another
>>     problem...
>>
>>     According to the docs:
>>
>>
>>     *Admin URL*
>>     For _Keycloak specific_ client adapters, this is the callback
>>     endpoint for the client. The Keycloak server will use this URI to
>>     make callbacks like pushing revocation policies, performing
>>     backchannel logout, and other administrative operations. For
>>     Keycloak servlet adapters, this can be the root URL of the
>>     servlet application. For more information see Securing
>>     Applications and Services Guide.
>>
>>     It looks like Python OIDC library is not keycloak-specific, so
>>     Admin URL is NOT an option to set up backchannel logout.
>>
>>     On Mon, Nov 11, 2019 at 9:41 PM mn at fstrk.io <mailto:mn at fstrk.io>
>>     <mn at fstrk.io <mailto:mn at fstrk.io>> wrote:
>>
>>         I would love to try it, but I am a Python guy and I am not
>>         sure how to figure out Keycloak internals :) is there anyway
>>         you can point me to look for the instructions on how to do it?
>>
>>
>>
>>         11.11.19 22:27, Leonid Rozenblyum пишет:
>>>         Ok, I see.
>>>         But do you use Spring Security adapter in your application?
>>>         If yes, a workaround for KEYCLOAK-10266
>>>         <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible
>>>         even before 8.0.0 release.
>>>
>>>         On Mon, Nov 11, 2019 at 6:48 PM mn at fstrk.io
>>>         <mailto:mn at fstrk.io> <mn at fstrk.io <mailto:mn at fstrk.io>> wrote:
>>>
>>>             I am using the Docker version, and 8.0.0 has not been
>>>             released in Docker yet:
>>>             https://hub.docker.com/r/jboss/keycloak/tags
>>>
>>>             so I guess the only option for me is wait for the 8.0.0
>>>             Docker release then.
>>>
>>>
>>>             11.11.19 17:56, Leonid Rozenblyum пишет:
>>>>             Hi. What adapter are you using?
>>>>             Spring Security adapter had a bug which was recently
>>>>             fixed and the fix should be part of 8.0.0
>>>>             https://issues.jboss.org/browse/KEYCLOAK-10266
>>>>
>>>>             On Mon, Nov 11, 2019 at 6:14 AM mn at fstrk.io
>>>>             <mailto:mn at fstrk.io> <mn at fstrk.io <mailto:mn at fstrk.io>>
>>>>             wrote:
>>>>
>>>>                 I created a client in Keycloak and set up a test
>>>>                 admin URL
>>>>                 https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60
>>>>                 (this is a
>>>>                 webhook testing site).
>>>>
>>>>                 After that, I performed an OpenID login via this
>>>>                 client, and then sent a
>>>>                 logout request to Keycloak.
>>>>
>>>>
>>>>                 I did this a couple of times, and tried two ways of
>>>>                 logging a user out:
>>>>
>>>>                 - redirecting to
>>>>                 http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>>>
>>>>                 <http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout>
>>>>
>>>>                 - force logging out of the user via Keycloak admin
>>>>                 interface:
>>>>                 http://prntscr.com/pv1v76
>>>>
>>>>                 The user indeed gets logged out. However, in both
>>>>                 of these cases I don't
>>>>                 see any requests coming out from Keycloak. The
>>>>                 testing website shows
>>>>                 zero registered requests.
>>>>
>>>>
>>>>                 How do I make this work?
>>>>
>>>>
>>>>
>>>>
>>>>                 -- 
>>>>                 Mikhail Novikov
>>>>
>>>>                 _______________________________________________
>>>>                 keycloak-user mailing list
>>>>                 keycloak-user at lists.jboss.org
>>>>                 <mailto:keycloak-user at lists.jboss.org>
>>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>             -- 
>>>             Михаил Новиков
>>>             Ведущий разработчик
>>>             fstrk.io  <http://fstrk.io>
>>>
>>
>>         -- 
>>         Михаил Новиков
>>         Ведущий разработчик
>>         fstrk.io  <http://fstrk.io>
>>
>
>     -- 
>     Михаил Новиков
>     Ведущий разработчик
>     fstrk.io  <http://fstrk.io>
>

-- 
Михаил Новиков
Ведущий разработчик
fstrk.io



More information about the keycloak-user mailing list