I have a small problem with my Keycloak Spring security adapter configuration.
I have an application secured by Keycloak via Spring security.
It works pretty well, I can connect without any problem.

My problem is at logout.
When I click the logout button, I am 'logged out', that is, redirected to the login page, Keycloak session cleaned (checked in Keycloak), so everything seems good.
The problem is that when I click to access the application again in a new tab, I don't have the login page displayed, I have direct access to the application.
I debbuged and it seems that the problem is that the Keycloak token is still available and valid in the application, and therefore no need to login again.
I googled a lot, but I don't find any working solution for it.

Here is my logout config :

... .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class) ... .addFilterAt(logoutFilter(), LogoutFilter.class) ... .logout() .addLogoutHandler(keycloakLogoutHandler()) .logoutUrl("/logout") //Allows specifying the names of cookies to be removed on logout success. .deleteCookies("JSESSIONID") //Configures SecurityContextLogoutHandler to invalidate the HttpSession at the time of logout. .invalidateHttpSession(true) ... @Bean public LogoutFilter logoutFilter() throws Exception { LogoutFilter logoutFilter = new LogoutFilter("/login.app", keycloakLogoutHandler()); logoutFilter.setFilterProcessesUrl("/logout"); return logoutFilter; } ... 

So, my question is : how can I, at logout time, invalidate/delete/clean the Keycloak token present in the application ?

Thank you very much for the help !

1

1 Answer

So, as Harish Gupta point, the solution was to add a simple HttpServletRequest.logout() to make it work completely.

Thank you !

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.