问题
I have a configuration where I'm using Keycloak as an Identity Broker, and a custom Identity Provider (using Spring Security OAuth) to provide user information.
What I observe is that when I attempt to log out (using frontchannel flow), Keycloak cookies including KEYCLOAK_IDENTITY remain. I expect to see Set-Cookie headers setting the expires to some date in the past.
The implication of this is that if I then go to a protected endpoint/page, I am able to access that resource without logging back in. Keycloak reads the IdToken value from the KEYCLOAK_IDENTITY cookie and uses that to reauthenticate the user.
How do I configure Keycloak to fully log a user out?
回答1:
The solution is buried in the Keycloak source code:
- If I specify a logout url in my Identity Provider configuration, Keycloak will not unset its own cookies. Reference:
OIDCIdentityProvider.keycloakInitiatedBrowserLogout(). This method needs to return null in order for Keycloak to unset its cookies.
来源:https://stackoverflow.com/questions/55130831/how-to-have-keycloak-logout-unset-session