Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Keycloak logout request does not log out user

Tags:

cookies

session

login

logout

keycloak

I am currently working on a small project using keycloak 2.5.0 I've already set up the user login and i'm now trying to implement a page wide logout button.

As the documentation states, is simply called the route http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http: //application-root.com/ For the sake of simplicity i used an anchor tag to make this GET Request.

If i take a look into the Network tab of the firefox developer tools everything seems to be working fine. I am getting back a 302 status code for the redirection request. And after that, the application successfully requests the http: //application-root.com/ with a status code of 200 and redirects me to this page.

But when i want to request the locked content again (the one secured by keycloak) its still accessible.

But whenever i manually delete the JSESSIONID and KEYCLOAK_ADAPTER_STATE cookie after the redirection, everything works fine and i'm being logged out correctly. Sadly i can't delete those cookies programmaticly because they are HttpOnly

What is the expected behaviour of this request ?

Am i missing something ?

Has anyone experienced anything similar ?

Thanks for any help

like image 336
Lucca Avatar asked Feb 17 '17 10:02

Lucca

People also ask

How does Keycloak logout work?

enter http://{domain-name}/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri as Logout Endpoint. Once the user is successfully logged in into Jira/Confluence/Bitbucket/Bamboo, if he tries to logout, the user will get logged out from Keycloak too.

What is backchannel logout in Keycloak?

backchannelLogout() Backchannel logout endpoint implementation for Keycloak, which tries to logout the user from all sessions via POST with a valid LogoutToken.

What is OIDC in Keycloak?

OpenID Connect (OIDC) is an authentication protocol that is an extension of OAuth 2.0. While OAuth 2.0 is only a framework for building authorization protocols and is mainly incomplete, OIDC is a full-fledged authentication and authorization protocol.

Is Keycloak secure?

Advantages of Using KeycloakThey are safe in the hands of Security Experts like Keycloak. It is easier and safer to protect a single server dedicated to Identity Management and Security than every server that runs various service providers.

1 Answers

I implemented logout using Keycloak 4.8.3 version. Mandatory parameter is id token (id_token_hint). Optional parameter is redirect url (post_logout_redirect_uri). Example:

http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEY0gyNnl0OFV0OEJQTGxoR&post_logout_redirect_uri=http:%2F%2Fapplication-root.com%2F

like image 156
andrija Avatar answered Sep 16 '22 12:09

andrija
Sign in to Comment

Related questions

Facebook iframe not working in IE; session/login issue?
How to log out of SSH session without closing tmux
Asp.net System.Web.HttpContext.Current.Session null in global.asax
Can't detect whether Session variable exists
Session for windows forms application in C#
Is this a proper way to destroy all session data in php?
Can I safely delete all content in /var/lib/php5?
how to handle session expire basing redis?
PHP session or cookie
Check if session key exists in Laravel 5.1?
How can I check in real time if a user is logged in?
how to check session has been expired in java?
Property `user` does not exist on type `Session & Partial<SessionData>`
PHP Laravel: How to set or get Session Data?
Warning: session_destroy(): Trying to destroy uninitialized session
PHP session doesn't work with IE
CakePHP remember me with Auth
PassportJS Session Mixed Up

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!