Logout from Spring security keycloak adapter, but no need to login to access application

I have a small problem with my Keycloak Spring security adapter configuration.
I have an application secured by Keycloak via Spring security.
It works pretty well, I can connect without any problem.

My problem is at logout.
When I click the logout button, I am 'logged out', that is, redirected to the login page, Keycloak session cleaned (checked in Keycloak), so everything seems good.
The problem is that when I click to access the application again in a new tab, I don't have the login page displayed, I have direct access to the application.
I debbuged and it seems that the problem is that the Keycloak token is still available and valid in the application, and therefore no need to login again.
I googled a lot, but I don't find any working solution for it.

Here is my logout config :

...
.addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
...
.addFilterAt(logoutFilter(), LogoutFilter.class)
...
.logout() .addLogoutHandler(keycloakLogoutHandler()) .logoutUrl("/logout") //Allows specifying the names of cookies to be removed on logout success. .deleteCookies("JSESSIONID") //Configures SecurityContextLogoutHandler to invalidate the HttpSession at the time of logout. .invalidateHttpSession(true)
... @Bean public LogoutFilter logoutFilter() throws Exception { LogoutFilter logoutFilter = new LogoutFilter("/login.app", keycloakLogoutHandler()); logoutFilter.setFilterProcessesUrl("/logout"); return logoutFilter; }
...

So, my question is : how can I, at logout time, invalidate/delete/clean the Keycloak token present in the application ?

Thank you very much for the help !

1

1 Answer

So, as Harish Gupta point, the solution was to add a simple HttpServletRequest.logout() to make it work completely.

Thank you !

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.

You Might Also Like