Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-17979

Clear all war's sessions when user logs out from Jakarta Forms web application

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • None
    • JSF, Security
    • None
    • ---
    • ---

    Description

      I have 4 war applications deployed to Wildfly (27.0.1 - standalone-full configuration). finance_view and marketing_view (frontend) are Jakarta Faces 10 applications, finance_data and marketing_data is jax-rs(backend) also Jakarta 10. All 4 applications are using Jakarta Security OIDC with elytron-oidc-client.

      finance_view and marketing_view have the same Client ID
      finance_data and marketing_data are also connected with the same Bearer Only Client ID

      If I logout from finance_view or marketing_view user session on Keycloak(20.0.2) disappears and I am also logged out only from application from where I clicked the logout.

      Session also disappears when I logout from Keycloak GUI logout page (OpenID Endpoint Configuration)  end_session_endpoint "http://web.development:8080/realms/test/protocol/openid-connect/logout" but nothing happens on my Wildfly server.

       

      My problem is that when I logout from finance_view wildfly (I guess this part is from elytron-oidc-client) does not make any change to other applications using the same clientId. When I go back to marketing_view I am still able to use aplication as logged in user. And not only that my marketing_view works, I am able to make request to marketing_data on a secure endpoint and it behaves like the token is still valid, just like frontend application, at this point there are no sessions on Keycloak.

      It takes about 3 minutes to synchronize Keycloak and elytron-oidc-client. After synchronization I receive an ERROR and then further on everything works as expected again, I am redirected to login page.
       

      11:46:59,778 When I was logged in. And everything was fine.

      11:49:51,780 ERROR [org.wildfly.security.http.oidc] (default task-4) ELY23012: Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Token is not active"}

       

      This is how I implemented logout. Button that redirects to non-secure page and logout logic on #{logout.submit()}.

      <h:commandLink value="Sign out" styleClass="dropdown-item" action="/home.xhtml" actionListener="#{logout.submit()}"/>

      @Named @RequestScoped
      public class Logout {

          @Inject
          private HttpServletRequest request;

          public void submit() throws ServletException

      {         request.logout();         request.getSession().invalidate();     }

      }

      Attachments

        Activity

          People

            fjuma1@redhat.com Farah Juma
            janez.puntar Janez Puntar
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: