Search code examples
javatokenkeycloakvert.xlogout

KEYCLOAK VERTX logout

I'm currently using keyckloak with vertx and I'm trying to logout from my application but I can't remove the token. When I logout, I still have the access to the private page. Can you give me some advises?

This is my code:

    InputStream input = new FileInputStream("./config.properties");
    Properties prop = new Properties();
    prop.load(input);

    String resource = prop.getProperty("resource");
    String credentials = prop.getProperty("credentials");
    int listeningPort = Integer.parseInt(prop.getProperty("listeningPort"));

    OpenIDConnectAuth.discover(vertx, 
            new OAuth2Options()
            .setFlow(OAuth2FlowType.AUTH_CODE)
            .setSite("http://10.241.0.188:8080/auth/realms/demo")
            .setTenant("demo")
            .setClientID(resource)
            .setClientSecret(credentials))
    
    .onSuccess(oauth2 -> {
        OAuth2AuthHandler test = OAuth2AuthHandler.create(vertx,oauth2)
            .setupCallback(router.get("/callback"));
        
        router.route("/private/*").handler(test);    
        
        router.route("/private*").handler(ctx -> {
            ctx.response().sendFile("/home/Documents/private_page.html");
            });   
       
        router.route("/").handler(ctx -> {
            ctx.response().sendFile(index);
            });           
        
        router.route("/webroot/*").handler(StaticHandler.create("webroot"));
        
        router.route("/logout").handler(context -> {
            AccessToken user = (AccessToken) context.user();
            user.logout(res -> {
              if (res.succeeded()) {
                  context.clearUser();
                  context.session().destroy();
                  context.response().putHeader("location", "/").setStatusCode(302).end();
                    // the logout call succeeded
                  } else {
                    // the user might not have been logged out
                    // to know why:
                    System.err.println(res.cause());
                  }             
              });               
          });
        vertx.createHttpServer().requestHandler(router).listen(listeningPort);
    });   
}

}

Solution

  • With vert.x 4.x the security module has been improved in a way that the User object is now generic and does not require custom class casts for specific providers.

    This means that the example is trying to use deprecated code, so it should be updated for the new API.

    Moreover, Vert.x 4.x also improved the support for Oauth2 + OpenId Connect standards, and now supports the official end session url instead of relying on non-standard features like it used to be with: AccessToken.logout().

    So to perform a logout you now only need to do:

    router.route("/logout")
  .handler(ctxt -> {
    // clear the session
    ctx.session().destroy();
    // use the oauth2/oidc end session url to signal the logout
    ctx.redirect(oauth2.endSessionURL(ctx.user()));
  });