问题描述

我有一个配置，其中我使用Keycloak作为Identity Broker，并使用自定义的身份提供程序(使用Spring Security OAuth)来提供用户信息.

I have a configuration where I'm using Keycloak as an Identity Broker, and a custom Identity Provider (using Spring Security OAuth) to provide user information.

我观察到的是，当我尝试注销(使用前通道流)时，保留了包含KEYCLOAK_IDENTITY的Keycloak cookie.我希望看到Set-Cookie标头将过期设置为过去的某个日期.

What I observe is that when I attempt to log out (using frontchannel flow), Keycloak cookies including KEYCLOAK_IDENTITY remain. I expect to see Set-Cookie headers setting the expires to some date in the past.

的含义是，如果我随后转到受保护的端点/页面，则无需重新登录就可以访问该资源.Keycloak从KEYCLOAK_IDENTITY cookie中读取IdToken值，并使用该值重新认证用户

The implication of this is that if I then go to a protected endpoint/page, I am able to access that resource without logging back in. Keycloak reads the IdToken value from the KEYCLOAK_IDENTITY cookie and uses that to reauthenticate the user.

如何配置Keycloak完全注销用户?

How do I configure Keycloak to fully log a user out?

推荐答案

该解决方案埋在Keycloak源代码中:

The solution is buried in the Keycloak source code:

• 如果我在身份提供程序"配置中指定注销URL，则Keycloak不会取消设置其自己的cookie.参考:OIDCIdentityProvider.keycloakInitiatedBrowserLogout().此方法需要返回null，以便Keycloak取消设置其Cookie.

• If I specify a logout url in my Identity Provider configuration, Keycloak will not unset its own cookies. Reference: OIDCIdentityProvider.keycloakInitiatedBrowserLogout(). This method needs to return null in order for Keycloak to unset its cookies.

这篇关于如何让Keycloak注销注销会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！