Description
I have 4 war applications deployed to Wildfly (27.0.1 - standalone-full configuration). finance_view and marketing_view (frontend) are Jakarta Faces 10 applications, finance_data and marketing_data is jax-rs(backend) also Jakarta 10. All 4 applications are using Jakarta Security OIDC with elytron-oidc-client.
finance_view and marketing_view have the same Client ID
finance_data and marketing_data are also connected with the same Bearer Only Client ID
If I logout from finance_view or marketing_view user session on Keycloak(20.0.2) disappears and I am also logged out only from application from where I clicked the logout.
Session also disappears when I logout from Keycloak GUI logout page (OpenID Endpoint Configuration) end_session_endpoint "http://web.development:8080/realms/test/protocol/openid-connect/logout" but nothing happens on my Wildfly server.
My problem is that when I logout from finance_view wildfly (I guess this part is from elytron-oidc-client) does not make any change to other applications using the same clientId. When I go back to marketing_view I am still able to use aplication as logged in user. And not only that my marketing_view works, I am able to make request to marketing_data on a secure endpoint and it behaves like the token is still valid, just like frontend application, at this point there are no sessions on Keycloak.
It takes about 3 minutes to synchronize Keycloak and elytron-oidc-client. After synchronization I receive an ERROR and then further on everything works as expected again, I am redirected to login page.
11:46:59,778 When I was logged in. And everything was fine.
11:49:51,780 ERROR [org.wildfly.security.http.oidc] (default task-4) ELY23012: Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Token is not active"}
This is how I implemented logout. Button that redirects to non-secure page and logout logic on #{logout.submit()}.
<h:commandLink value="Sign out" styleClass="dropdown-item" action="/home.xhtml" actionListener="#{logout.submit()}"/>
@Named @RequestScoped
public class Logout {
@Inject
private HttpServletRequest request;
public void submit() throws ServletException
{ request.logout(); request.getSession().invalidate(); }}