Our application is created by Jhipster which comprise with spring boot and keycloak and postgress db. I have set the "SSO Session Idle" time as 1 minute in the keycloak realm settings.
Expectation is keycloak should send logout event if the user is idle for 1 minute and more. But nothing is happening(even no log in keycloak) and the session is still alive. I am able to call other rest API without any issue.
While logging in through key cloak I am able to see following log in keycloak. Not sure whether this is creating problem.
03:57:20,717 WARN [org.keycloak.events] (default task-64) type=REFRESH_TOKEN_ERROR, realmId=google, clientId=youtube, userId=8299cea8-8ebf-45df-8685-b37445620255, ipAddress=10.198.140.148, error=invalid_token, grant_type=refresh_token, refresh_token_type=Offline, refresh_token_id=2b031b6d-5ff4-4967-a300-42b930dfc04b, client_auth_method=client-secret
Is there anything specific I have to configure in application.yaml or application_prod.yaml for getting session expired event in spring boot Jhipster application ?
I am struck for many days. Any help would be much appreciated.
I am expecting while setting session idle time in keycloak, keycloak should send session time out or logout event. And Jhipster spring boot application should able to log out.
Related
To configure this at boot-up time we can either set it in the HttpSecurity object or in application.yml. But how can we do this at dynamically at run-time? i.e. in response to a user prompt after the system has started up and is already serving requests and has logged-in users.
I have built two keycloak clients (spring-client and a tomcat-client using keycloak OIDC spring boot adapter and OIDC tomcat adapter) and both are working in the same realm. I have two problems with these clients.
When I am going to sign in to those clients, I need to provide username and password for each client separately even though I am using the same browser (multiple tabs) and same username.
When i need to sign out only a single client (tomcat-client) log out and the other client (spring-boot-client) does not logout at all and keep the session until a timeout occurs.
Further when I am investigating I found that there are two separate sessions created for both clients. (see the image)
Since I am using same realm and same user I have no idea that how two sessions were created. There is another thing I noticed, tomcat-client & security-admin-console both clients are in the same session. When I logout from the keycloak admin console then tomcat client automatically logs out. The problem is only with the spring-boot client.
Also I have set each client's admin URL as the base URL of each application.
Can someone help me to sort this out.
Thank you
After lots of debugging finally I found the problem in my configuration.
In the spring boot adapter configuration file I have mentioned the Keycloak URL as http://127.0.0.1:8080/auth
In the other adapter configuration file I have mentioned it as http://localhost:8080/auth
the issue was fixed once same URL added for both adapter configurations.
I'm troubleshooting authentication/registration flow and need a quick way to reset all sessions server side (no curl or other client side logout magic!).
Is there Spring Actuator or JMX ready endpoint to invalidate all sessions?
We use Tomcat as am embedded server, if it helps...
Seems there is a dedicated Spring Actuator Endpoint:
https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints
sessions - Allows retrieval and deletion of user sessions from a Spring Session-backed session store. Requires a Servlet-based web application using Spring Session.
https://docs.spring.io/spring-boot/docs/current/actuator-api/html/#sessions-retrieving
21.2. Retrieving a Single Session
curl 'http://localhost:8080/actuator/sessions/4db5efcc-99cb-4d05' -i -X GET
curl 'http://localhost:8080/actuator/sessions/4db5efcc-99cb-4d05' -i -X DELETE
Extra step to enable Actuator endpoints:
management.endpoints.web.exposure.include:
- env
- health
- info
- sessions
Can someone suggest how to configure a Spring Boot application to authenticate via KeyCloak, and then use Redis as the session store? I've spent a day googling and banging my head on this, and I just don't feel like I'm getting anywhere.
I know how to configure each one independently - i.e. I can make a boot app that auths via KeyCloak, and I can also make a boot app that keeps session in Redis, but I'm not getting them to work together. Is this possible? It seems like it should be. Or is this just not how its supposed to work?
I think my working POC would behave something like this:
start my app
access some resource that forces a login via KeyCloak - access to resource is granted
restart my app
access that same resource but now no login is needed (since session is persisted in Redis)
Thanks for any suggestions.
OK - turns out I'm just not paying attention. I was not using the access/bearer token correctly. There is no need to keep the Spring session around when the bearer token is properly provided in requests.
I developed a web application using spring and hibernate. By using Spring Security , i am restricting one session per user. When user try to attempt multiple login then old session will be invalidated and new one will be active.I have registered HttpSessionListener in my web.xml file.In sessionDistroyed method i am writing some functionality that will be executed when Http Session getting invalidating.
Now problem is when a single user try to do multiple login ,spring security expiring the old session but not invalidating the old session.So in that case sessionDistroyed method not being executed.But i want sessionDistroyed method to be called when spring security expiring the old session.
Can anyone please help to resolve this problem.