2

I am using keycloak 4.8.3 and wildfly-14.0.1 in my Java Application. Facing problem in deleting session from Servelet Filter. Below are approaches which i tried.

Approach 1: I am using HttpServletRequest.logout() to delete session from keycloak.This approach is not working for me and i am getting refresh-token equal to NULL

Approach 2: But when i trigger rest call using curl command with access token provided. 

curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' \
-i 'https://authserver/auth/realms/{realm}/protocol/openid-connect/logout' \
--data 'username=abc&password=def&client_id=client-id&grant_type=refresh_token&client_secret=a682049d-587c-4c38-a594-814f08b0ca7&refresh_token=<refresh_token>'

This approach2 working fine.

I am not sure why in case of Java ,I am getting refresh-token NULL? Below is the code

    KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext)httpRequest.getAttribute( KeycloakSecurityContext.class.getName() ); 
    if(keycloakSecurityContext instanceof RefreshableKeycloakSecurityContext) { 
    RefreshableKeycloakSecurityContext ksc = (RefreshableKeycloakSecurityContext)keycloakSecurityContext; 
    RefreshToken refreshToken = ksc.getRefreshToken(); 
    RefreshToken refreshTokenDecoded = TokenUtil.getRefreshToken(refreshToken);
Subodh Joshi
  • 12,717
  • 29
  • 108
  • 202
Shruthi
  • 21
  • 3
  • 1
    Possible duplicate of [Logout user via Keycloak REST API doesn't work](https://stackoverflow.com/questions/46689034/logout-user-via-keycloak-rest-api-doesnt-work) – ravthiru Feb 04 '19 at 23:11
  • KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext)httpRequest.getAttribute( KeycloakSecurityContext.class.getName() ); if(keycloakSecurityContext instanceof RefreshableKeycloakSecurityContext) { RefreshableKeycloakSecurityContext ksc = (RefreshableKeycloakSecurityContext)keycloakSecurityContext; RefreshToken refreshToken = ksc.getRefreshToken(); RefreshToken refreshTokenDecoded = TokenUtil.getRefreshToken(refreshToken); // Getting as null. } – Shruthi Feb 05 '19 at 05:35
  • This is how i am trying to retrieve refresh token.. – Shruthi Feb 05 '19 at 05:36
  • httpRequest.logout(); will logout from currently login session, why you want to get refresh token ? – ravthiru Feb 05 '19 at 05:41
  • For me httpRequest.logout() is not deleting keycloak session. – Shruthi Feb 05 '19 at 05:45
  • What is the Access Type set for your client ? if it is bearer-only, then refresh token will be null – ravthiru Feb 06 '19 at 12:25
  • curl -X GET "https://abc/api/getById/1" -H "accept: application/json" -H "Authorization: bearer " is my curl command. – Shruthi Feb 07 '19 at 06:58

0 Answers0