Keycloak注销不会结束会话 [英] Keycloak logout does not end session

问题描述

我正在使用带有Keycloak Jetty-81-Adapter 3.4的Spring Framework和Jetty 8.1在Java应用程序中使用Keycloak 3.4.

I am using Keycloak 3.4 in a Java Application using Spring Framework and Jetty 8.1 with Keycloak Jetty-81-Adapter 3.4.

根据Keycloak文档，我应该能够在Java EE应用程序中使用HttpServletRequest从Keycloak注销.但是，即使Jetty支持HttpServletRequests，这在我的情况下也不起作用.

According to the Keycloak documentation I should be able to use the HttpServletRequest in a Java EE application to logout from Keycloak. However, this does not work in my case, even though Jetty supports HttpServletRequests.

您可以通过多种方式退出Web应用程序.对于Java EE Servlet容器，可以调用HttpServletRequest.logout().

You can log out of a web application in multiple ways. For Java EE servlet containers, you can call HttpServletRequest.logout()..

如果我尝试以这种方式注销，我将重定向到keycloak(登录屏幕，可以从多个领域登录中进行选择).但是，当我选择自己的首选领域时，我将立即再次登录该Web应用程序，而无需提供任何凭据.

If I try to logout this way, I get redirected to keycloak (login screen with option to choose from multiple realm logins). When I choose my preferred realm however, I am immediately logged in to the webapplication again, without having to provide any credentials.

我尝试了另一种方法，方法是重定向到Keycloak:

I tried the alternative approach, by redirecting to Keycloak:

对于其他浏览器应用程序，您可以将浏览器重定向到
http://auth-server/auth/realms/ {realm-name}/protocol/openid -connect/logout?redirect_uri = encodedRedirectUri

For other browser applications, you can redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri

，但它会在Keycloak日志中引发拒绝连接错误，因为Keycloak尝试直接调用我的Web应用程序.它对保持活动状态的Keycloak会话没有影响.我强烈希望从Keycloak直接向Web应用程序不需要服务器端调用.

but it throws a connection refused error in the Keycloak log, because Keycloak tries to call my webapp in a direct way. It has no effect on the Keycloak session, which stays active. I strongly prefer no serverside calls necessary from Keycloak to the webapp directly.

有人建议为什么在我的情况下HttpServletRequest.logout()不会破坏密钥斗篷会话吗? HttpServletRequest的Jetty实现与Java EE实现有很大不同，以至于它根本无法工作吗?

Any suggestions why the HttpServletRequest.logout() does not destroy the keycloak session in my case? Is the Jetty implementation of the HttpServletRequest so different from the Java EE implementation that it could not work at all?

推荐答案

在使用远程(OIDC)身份提供程序时，我也有类似的经历.我发现HttpServletRequest.logout实际上确实破坏了Keycloak中的会话，但没有传播到我的远程身份提供者的注销URL.转到远程登录站点时，它立即将我重定向回去，看到我有一个活跃的会话.这看上去很像keycloak会话实际上并没有失效，但是我检查了一下，但实际上是无效的.使用浏览器重定向到url确实在两个地方都注销了.可能是Keycloak中的错误.

I have had a similar experience when using a remote (OIDC) identity provider. What I found was that the HttpServletRequest.logout did actually destroy the session in Keycloak, but did not propagate to the logout url of my remote identity provider. When going to the remote login-site, it just immediatly redirected me back, seeing that I had an active session. This looked a lot like the keycloak session wasn't actually invalidated, but I checked and it was. Using a browser redirect to the url did logout on both places. Might be a bug in Keycloak.

可能是您遇到了同样的问题吗?要进行验证，请尝试注销，然后在Keycloak和列表会话中选择您的客户端，以查看Keycloak中是否仍然存在该客户端.

Could it be that you are facing the same problem? To verify, try logging out, then select your client in keycloak and list sessions, to see whether it still exists in Keycloak.

这篇关于Keycloak注销不会结束会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！