When using Keycloak and Spring Security with the OIDC Client protocol the application session won't expire when the Keycloak SSO session timeout has already occured. As a result, if a user accesses any parts of the application protected by the Keycloak adapter after the access token has expired Spring Security still has the authentication object. But when the Keycloak adapter checks to see if the Access token is active which it won't be at this point, as a result the adapter (RefreshableKeycloakSecurityContext.java Class) attempts to get a new Access token using the refresh token it has. Since the refresh token has been invalidated in Keycloak the adapter throws
Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"}
So, the user can still navigate and access any part of the application, without being taken to login page to re-authenticate.
Any tips/ideas how can I achieve the desired behavior, so that when the Keycloak SSO Session expires the user will be redirected to login page and Spring authentication will invalidated?
Spring-Security: 4.0.4.RELEASE
Keycloak Spring Security Adapter: 3.4.2.Final
Keycloak Server: 3.4.3.Final
Keycloak is an open source Identity and Access Management solution targeted towards modern applications and services. Keycloak offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.
Keycloak is Open Source Identity and Access Management Server, which is a OAuth2 and OpenID Connect(OIDC) protocol complaint.
Keycloak client adapters are libraries that make it very easy to secure applications and services with Keycloak. We call them adapters rather than libraries as they provide a tight integration to the underlying platform and framework.
The user authenticates with Keycloak. The authorization code is returned to the server-side web application. The application exchanges the authorization code for tokens, using the credentials registered with the client in Keycloak.
There seems to something missing from the xml configuration section of the Keycloak documentation. There is a filter to be used for checking the token and logging the user out if it can't be refreshed, KeycloakSecurityContextRequestFilter.
So if you are using XML config based on the documentation, you have to add the following bean:
<bean id="keycloakSecurityContextRequestFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter" />
And then add this to the security:http configuration:
<security:custom-filter ref="keycloakSecurityContextRequestFilter" after="FORM_LOGIN_FILTER" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With