CODEWITHSUNDEEP
spring-bootspring-securitylogoutopenid-connectkeycloak
dgr018
dgr018

Reputation: 81

keycloak openid single log out with spring boot

I'm trying to implement a single log out in my spring boot applications using keycloak and openid.

I already setup keycloak 3.4.3 with sprint boot 1.5.3 and spring security adapter (documentation here), algo using tomcat adapter (documentation here ). Everything works fine until I try to log out from all my sessions.

I have tried:

1) On keycloak administration console ui: logout all sessions result: it does clean all sessions from keycloak, but not the browser ones in my client applications. So I keep logged in until i delete them manually.

2) Using HttpServletRequest.logout() and http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri (documentation here), only logs out from the current client and not as a SLO

I'm not sure if OpenID supports SLO and I cannot find any reliable documentation about it.

¿Is there a way to implement Single log out using OpenID and Spring boot?

Upvotes: 4

Views: 11811

Answers (2)

Alexey Ivanov
Alexey Ivanov

Reputation: 11

According to official documentation HttpServletRequest.logout() should work but it does not work. By mistake or some other reasons, this way makes logout only for web container session but not for keycloak session. It requires some additional work.

for keycloak-spring-boot-starter:17.0.1

    /**
     * Makes SSO Logout.
     * This endpoint has to be private. Otherwise there will be no token to send logout to KeyCloak.
     *
     * @param request the request
     * @return redirect to logout page
     * @throws ServletException if tomcat session logout throws exception
     */
    @GetMapping(path = "/logout")
    public String logout(HttpServletRequest request) throws ServletException {
        keycloakSessionLogout(request);
        tomcatSessionLogout(request);
        return "redirect:/public/logout.html";
    }

    private void keycloakSessionLogout(HttpServletRequest request){
        RefreshableKeycloakSecurityContext c = getKeycloakSecurityContext(request);
        KeycloakDeployment d = c.getDeployment();
        c.logout(d);
    }

    private void tomcatSessionLogout(HttpServletRequest request) throws ServletException {
         request.logout();
    }

    private RefreshableKeycloakSecurityContext getKeycloakSecurityContext(HttpServletRequest request){
        return (RefreshableKeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
    }

Upvotes: 1

Sazzad Islam
Sazzad Islam

Reputation: 173

You can do the following to log out

   @GetMapping(path = "/logout")
   public String logout(HttpServletRequest request) throws ServletException {
      request.logout();
      return "/";
   }

http

<a href="/logout">Logout</a>

Upvotes: 6

Related Questions