2 Replies Latest reply on Jun 12, 2015 4:12 PM by Divya Dadlani

    Errai 3.2.0-SNAPSHOT Security Demo + Keycloak 1.2.0.Final = logout discrepancies issue ?

    Hristo Stoyanov Master

      Hi Christian and Divya,

      I took the security demo in Errai 3.2.0-SHNAPSHOT for a spin and ran it against a Keycloak 1.2.0, after I noticed the fixes for ERRAI-855  (thanks, by the way!).

       

      I noticed something interesting:

      1. Upon first use, the user is forwarded to the demo's login page and then the KC's login page, where s/he logs in. Upon return to the demo, the Login button in the header menu is replaced with Logout, as expected.

      2. The security demo ping  works, as expected.

      3. The uses logs out, the menu bar changes and shows the Login button again, as expected.

      4.  However, if you go to the Keycloak admin page for the realm and click on the user, you will see that there is still an active session, despite the logout?

      5. At this point you can do two things:

          a. if you repeat step 1, you will not be challenged for password by KC, although the demo will force you through its own login page. This is odd!

          b. You  can force-logout the user in KC user admin page (you can press the "Logout All Sessions" button  and refresh KC user page to confirm there are no user sessions). However, the outcome of the scenario in 5a is the same - KC will not challenge you for a password?

       

      In summary, there seems to be a disconnect between Errai/demo logout and KC logout.  However, if you wait a few minutes, KC will start to require a password!


      I repeated the test in both Chrome and Firefox, making sure browsers do not remember the passwords. The discrepancy in logouts is present in both.


      Does anyone have an explanation?


      Thanks