I have a small problem with my Keycloak Spring security adapter configuration.
I have an application secured by Keycloak via Spring security.
It works pretty well, I can connect without any problem.
My problem is at logout.
When I click the logout button, I am 'logged out', that is, redirected to the login page, Keycloak session cleaned (checked in Keycloak), so everything seems good.
The problem is that when I click to access the application again in a new tab, I don't have the login page displayed, I have direct access to the application.
I debbuged and it seems that the problem is that the Keycloak token is still available and valid in the application, and therefore no need to login again.
I googled a lot, but I don't find any working solution for it.
Here is my logout config :
...
.addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
...
.addFilterAt(logoutFilter(), LogoutFilter.class)
...
.logout() .addLogoutHandler(keycloakLogoutHandler()) .logoutUrl("/logout") //Allows specifying the names of cookies to be removed on logout success. .deleteCookies("JSESSIONID") //Configures SecurityContextLogoutHandler to invalidate the HttpSession at the time of logout. .invalidateHttpSession(true)
... @Bean public LogoutFilter logoutFilter() throws Exception { LogoutFilter logoutFilter = new LogoutFilter("/login.app", keycloakLogoutHandler()); logoutFilter.setFilterProcessesUrl("/logout"); return logoutFilter; }
...So, my question is : how can I, at logout time, invalidate/delete/clean the Keycloak token present in the application ?
Thank you very much for the help !
11 Answer
So, as Harish Gupta point, the solution was to add a simple HttpServletRequest.logout() to make it work completely.
Thank you !
1