OidcHttpFacade not logouts in Wildfly v36.0.1
44 views
Skip to first unread message
Patrik B
Jun 10, 2025, 8:51:15 AMJun 10
to WildFly
I'm using OIDC.json in my three WAR it's setted this way (same in every WAR for SSO):
{
"realm": "${keycloak.realm}",
"auth-server-url": "${keycloak.auth.server.url}",
"ssl-required": "none",
"resource": "common-web",
"token-store": "cookie",
"adapter-state-cookie-path": "/",
"token-signature-algorithm": "ES256",
"credentials": {
"secret": "xxxxx"
}
}
@Context
protected HttpServletRequest request;
@POST
@Path("/logout")
public Response logout(boolean isUserRequestedLogout) {
try {
request.logout();
request.getSession().invalidate();
} catch (ServletException e) {
log.error(e.getLocalizedMessage(), e);
}
return Response.ok(new ResponseWrapper<>(true)).build();
}
when request.logout() is called the RefreshableOidcSecurityContext logout(OidcClientConfiguration clientConfiguration) method calls Keycloak which loguts the active user session successfully. OidcCookieTokenStore global logout is called after that in OidcHttpFacade resetCookie(final String name, final String path) method is called but the inner lambda not called to setCookie(...) , so frontend COOKIE_STATE is still exists and frontend can call every endpoint.
What do I do wrong, why setCookie not called in the lambda expression?
It's works when I use SessionStore (logs out perfectly) instead of CookieStore, but whit Session store I can't manage to make SSO with the 3 WAR.
{
"realm": "${keycloak.realm}",
"auth-server-url": "${keycloak.auth.server.url}",
"ssl-required": "none",
"resource": "common-web",
"token-store": "cookie",
"adapter-state-cookie-path": "/",
"token-signature-algorithm": "ES256",
"credentials": {
"secret": "xxxxx"
}
}
@Context
protected HttpServletRequest request;
@POST
@Path("/logout")
public Response logout(boolean isUserRequestedLogout) {
try {
request.logout();
request.getSession().invalidate();
} catch (ServletException e) {
log.error(e.getLocalizedMessage(), e);
}
return Response.ok(new ResponseWrapper<>(true)).build();
}
when request.logout() is called the RefreshableOidcSecurityContext logout(OidcClientConfiguration clientConfiguration) method calls Keycloak which loguts the active user session successfully. OidcCookieTokenStore global logout is called after that in OidcHttpFacade resetCookie(final String name, final String path) method is called but the inner lambda not called to setCookie(...) , so frontend COOKIE_STATE is still exists and frontend can call every endpoint.
What do I do wrong, why setCookie not called in the lambda expression?
It's works when I use SessionStore (logs out perfectly) instead of CookieStore, but whit Session store I can't manage to make SSO with the 3 WAR.
Patrik B
Jun 11, 2025, 9:07:06 AMJun 11
to WildFly
I don't know is the best way but with web.xml configured to the same cookie, invalidate and logout works perfect
<session-config>
<session-timeout>240</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
<cookie-config>
<path>/</path>
<name>OIDC_STATE</name>
<session-timeout>240</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
<cookie-config>
<path>/</path>
<name>OIDC_STATE</name>
</cookie-config>
</session-config>
</session-config>
Reply all
Reply to author
Forward
0 new messages