Kong OIDC plugin is caching the session

nokia / kong-oidc

OIDC plugin for Kong

Apache License 2.0

454 stars 321 forks source link

Kong OIDC plugin is caching the session #29

Closed marek-ganko closed 6 years ago

marek-ganko commented 6 years ago

Problem: Kong OIDC plugin is caching the session.

Description: In my scenario I have application A that uses Kong plugin, and application B that uses Implicit Grant authentication straight to Keycloak. It seems that after logout from application B (using this redirect /auth/realms//protocol/openid-connect/logout) I can still access to application A, even though there are no active sessions visible through Keycloak admin console. It can be also reproduced by simply destroying the active session through Keycloak admin console.

Trojan295 commented 6 years ago

I would need some additional information:

are the sessions established using the same OAuth2 Client or a different one?
are you using the /logout endpoint on the plugin or on the Logout Endpoint on your Authorization Server?

Trojan295 commented 6 years ago

But this looks like an expected behaviour. Kong OIDC has a session and your application with the token has a different session. If you are logging out with the session from one application it shouldn't interfere with any other sessions, that are established.

A logout invalidates the tokens within session, which made the call, but it doesn't mean, that other session are invalidated.

Trojan295 commented 6 years ago

Closing due to inactivity