Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keycloak Session Timeout behavior when using Spring Security Adapter

When using Keycloak and Spring Security with the OIDC Client protocol the application session won't expire when the Keycloak SSO session timeout has already occured. As a result, if a user accesses any parts of the application protected by the Keycloak adapter after the access token has expired Spring Security still has the authentication object. But when the Keycloak adapter checks to see if the Access token is active which it won't be at this point, as a result the adapter (RefreshableKeycloakSecurityContext.java Class) attempts to get a new Access token using the refresh token it has. Since the refresh token has been invalidated in Keycloak the adapter throws

Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"}

So, the user can still navigate and access any part of the application, without being taken to login page to re-authenticate.

Any tips/ideas how can I achieve the desired behavior, so that when the Keycloak SSO Session expires the user will be redirected to login page and Spring authentication will invalidated?

Spring-Security: 4.0.4.RELEASE
Keycloak Spring Security Adapter: 3.4.2.Final
Keycloak Server: 3.4.3.Final
like image 647
lazyneuron Avatar asked May 18 '18 09:05

lazyneuron


People also ask

How do spring boots work with Keycloaks?

Keycloak is an open source Identity and Access Management solution targeted towards modern applications and services. Keycloak offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.

Does Keycloak support OAuth2?

Keycloak is Open Source Identity and Access Management Server, which is a OAuth2 and OpenID Connect(OIDC) protocol complaint.

What is Keycloak client adapter?

Keycloak client adapters are libraries that make it very easy to secure applications and services with Keycloak. We call them adapters rather than libraries as they provide a tight integration to the underlying platform and framework.

How do I secure an application with a Keycloak?

The user authenticates with Keycloak. The authorization code is returned to the server-side web application. The application exchanges the authorization code for tokens, using the credentials registered with the client in Keycloak.


1 Answers

There seems to something missing from the xml configuration section of the Keycloak documentation. There is a filter to be used for checking the token and logging the user out if it can't be refreshed, KeycloakSecurityContextRequestFilter.

So if you are using XML config based on the documentation, you have to add the following bean:

<bean id="keycloakSecurityContextRequestFilter"
          class="org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter" />

And then add this to the security:http configuration:

<security:custom-filter ref="keycloakSecurityContextRequestFilter" after="FORM_LOGIN_FILTER" />
like image 56
Tobb Avatar answered Oct 18 '22 07:10

Tobb