Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add support for Keycloak session revocation

See original GitHub issue

Is your feature request related to a problem? Please describe. When using Alerta with an on-prem Keycloak, when a user clicks Log Out, he/she is presented with a You have been logged out message.

Clicking LOG IN again will log you on again with the same credentials, without being prompted for username / password.

It is possible in Keycloak to revoke a users session by calling a revocation-url.

https://www.keycloak.org/docs/4.8/securing_apps/index.html#logout-endpoint

Describe the solution you’d like Add an optional support for revocation of the Keycloak session when the user clicks the Log Out link.

This would truly log the user out, so that he/she can rest assured that he/she is truly logged out of the realm and that no unauthorized user who gains access to the desktop / browser can access services on the users behalf!

Describe alternatives you’ve considered A clear and concise description of any alternative solutions or features you’ve considered.

Additional context Add any other context or screenshots about the feature request here.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:8 (5 by maintainers)

github_iconTop GitHub Comments

2reactions
satterlycommented, Jan 11, 2020

I’ve managed to get it working for Azure OIDC which used the browser cookies to determine which user to logout, but it failed with Okta which seems to want you to provide the original id_token. I’ve yet to test this with Keycloak.

Screenshot 2020-01-11 at 10 21 14 Screenshot 2020-01-11 at 10 21 35
1reaction
satterlycommented, Jan 12, 2020

Tested this with Keycloak now and it mostly works. The user session in Keycloak is revoked on logout from Alerta web UI but the browser is not redirected back to the “post_logout_redirect_url” so the user is just presented with a blank page. Not ideal but good enough for now.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Revocation Policies | keycloak-documentation
If your system is compromised you will want a way to revoke all sessions and access tokens that have been handed out. You...
Read more >
Server Administration Guide - Keycloak
Not-before revocation policies per realm, application and user. CORS support - Client adapters have built-in support for CORS.
Read more >
Revoking or invalidating an authorization token?
I'm trying to figure out if Keycloak supports any sort of token revokation as described in RFC 7009, like with a /revoke API...
Read more >
node.js - Revoke Keycloak access token - Stack Overflow
I think you can only revoke sessions but not issued access tokens. So the only solution for this is to choose a very...
Read more >
[KEYCLOAK-5325] OAuth 2.0 Token Revocation (RFC 7009)
This is fully compatible with OIDC spec OAuth 2.0 token revocation endpoint. I need this endpdoint to implement reverse OIDC proxy. From what...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

gitlab auth looks broken on 7.3.0

Next page

ALERT_TIMEOUT not working