Keycloak logout not working for “bearer-only” application exposing REST services

3
votes

I am unable to logout an user. The logout works for a "confidential" applications but it doesn't for a "bearer-only" application (the REST services are still accessible after logout).

I have the following configuration:

  1. I have one "database" client application defined in Keycloak having access type "bearer-only" (created with the intent of exposing REST web services protected by Keycloak based on user roles)

  2. I have one "rest_service" client application defined in keycloak having access type "confidential" (created with the intent of logging in users and allowing access to the "bearer-only" REST services after a successful login). The below described workflow is implemented in this application using REST web services

I am performing the following steps:

  1. An http GET request is performed on URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth which redirects the user to the login page handled by Keycloak

  2. The user performs the login using his credentials (using the credentials of a user defined in Keycloak)

  3. Keycloak redirects the user to the "redirect_uri" which was passed in step 1. In this step Keycloak also provides as request parameters the "state" and "code" values.

  4. After the user has been redirected back to the application I exchange the "code" received in step 3 for a token doing a POST request on http://localhost:8180/auth/realms/demo/protocol/openid-connect/token which is done successfully

  5. After the access token is available I proceed to access the "bearer-only" REST web services.

note: the REST web services exposed by the "bearer-only" service are not accessible unless the user has been logged in and it has the correct "role" assigned to it.

Problem: As stated at the start of the post the user is still able to access the "bearer-only" REST web services after the logout has been done. The only thing that seems to work is the logout from the "confidential" application (the user is not able to access the application unless he logs in again).

If I perform the logout of the user then the REST web services exposed by the bearer-only application are still accessible. In the Keycloak server I get the following WARN message: " Some clients have been not been logged out for user adminuser in demo realm: rest_service"

I tried implementing the logout in three ways:

  1. A redirect to URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/logout passing in the redirect_uri and client_id parameters

  2. A POST request to http://localhost:8180/auth/realms/demo/protocol/openid-connect/logout passing in the Authorization Bearer in the header and the client_id, refresh_token, client_secret and redirect_uri

  3. A REST service exposed by the "bearer-only" service which does the following method call: HttpServletRequest request.logout()

Neither of the above methods is working.

PS: I did not want to go in to many details because even so the post is long enough. If I missed something please tell me and I will provide the additional information (if possible I can also attach the actual projects)

1
logoutkeycloakbearer-token
Same issue. Any luck? I also tried python-keycloak. Same message "Some clients have been not been logged out for user <some user>", no logout happens.SwissNavy
I got same problem too, do you have any solutions?Taha Ergun
Try performing a POST request on the following URL: {BASE_SERVER_URL}{PORT}/auth/realms/{REALM}/users/{USER_UUID} Also make sure to add the access toke in the request header.Dan Nemes

1 Answers

0
votes

This is quite old but it could help someone else. I can't quite remember what I did in order to fix this problem but the below details could be helpful.

In order to invalidate the token so that it can't be used anymore you have to perform a POST request to the following endpoint: /auth/realms/{REALM}/users/{USER_UUID}/logout and to add the access token in the header.

PS: If anyone tries this and it works for him please add a comment just so that I can be sure that this is a working solution and to help others having this problem. Thank you!