search

gogatekeeper / gatekeeper

An OpenID / Proxy service
https://gogatekeeper.github.io/gatekeeper/
Apache License 2.0
262 stars 48 forks source link

Backchannel logout #121

Open praserx opened 2 years ago

praserx commented 2 years ago

Hi, I try to get working backchannel logout Keycloak feature. But requests from Keycloak (POST requests) are blocked with status code 405 (method not allowed).

If I read the code right, there is no Oauth route for POST method for logout and due to this router blocks the request. So this feature is missing. Am I right?

Thanks.

p53 commented 2 years ago

no there is no support for backchannel logout

hillout commented 10 months ago

@p53 hi, I see it's in your plan to achieve this, just out of curiosity are you willing to close this one?

p53 commented 10 months ago

gatekeeper doesn't maintain any user state, sessions (except for refresh tokens when redis store is enabled, but here purpose is different) it does use cookies for storing access/refresh tokens and it uses front channel logout mechanism because of that so not sure what you would like exactly achieve with gatekeeper and backchannel logout @praserx @hillout could you provide example what would you like to achieve?

p53 commented 10 months ago

if you want to achieve one logout with several apps there is option for that https://gogatekeeper.github.io/gatekeeper/userguide/#session-logout

hillout commented 9 months ago

@p53 hi, sorry for a long response. Maybe I thought that GK could listen to backchannel and initiate logout instantly, thus it's not checking user sessions by going to userinfo endpoint and thus there is less load to Kecyloak server. But since GK is mostly stateless app, than yeah, makes no sense.

transducer commented 3 months ago

@hillout we have implemented a separate application that does a logout. In our case we have Gatekeepers that protect our backends (with --no-redirects=true) and frontends who all run on the same domain and tokens are stored in a HttpOnly cookie.

To logout we have to terminate the session in Keycloak and remove the cookies from the domain. For this we created a backend logout application that terminates the session, removes the Keycloak related cookies (kc-access, kc-access-1, kc-state and OAuth_Token_Request_State) and redirects to Keycloak.

This logout application we provide on our applications at the GET /logout route. For logging out on other tabs, frontend SPA's need to poll the backend to see if a 401 is returned from the backend Gatekeeper, and if so, refresh the page so they redirect to the authorization server.