Spring: adapter-core logout uses Frontend URL from backend

[kernalex-exx]

I am working on a legacy application using Spring, GWT and Keycloak. After a migration in new infrastructure we started to configure the Frontend URL in Keycloak and configuring the application with the internal URL:

• backendUrl: keycloak:8080
• frontendUrl: keycloak.test.some.domain
  It worked without any problems with both applications configured correctly. The redirection in the browser uses the frontendUrl, debgging shows that endpoints are called with the backendUrl.
  But after activating a Network Policy which prohibits the application to call the frontendUrl directly I noticed that the logout/end_session_endpoint from .well-known/openid-configuration endpoint configures the frontendUrl. I understand why that is for frontend-only apps, but the logout from adapter-core does not work anymore, because frontendUrl is not reachable.

I tried to move the logout into the frontend, but than I would have to invalide tokens manually and introduce a big change. Instead I was able to wrap KeycloakDeployment and override getLogoutUrl().
But that does not feel like the right solution, but I am not sure in which direction to go from here.

• Separation of GWT-Frontend and Spring-Backend with multiple clients?
• Bite the bullet and move logout into the frontend?
• Any configuration I have missed?

Thank you!

[OLibutzki]

Hi @kernalex-exx,

I stumbled upon the very same issue. Can you share your workaroung wrapping KeycloakDeployment?

Nevertheless I am interested in a better solution as well.

[kernalex-exx]

Hi Oliver, it looks like this:

public class BackendLogoutKeycloakDeployment extends KeycloakDeployment {
    private final KeycloakDeployment delegate;

    public BackendLogoutKeycloakDeployment(KeycloakDeployment delegate) {
        this.delegate = delegate;
        // one call in AdapterDeploymentContext without getter , so it has to be set
        this.relativeUrls = delegate.getRelativeUrls();
    }

    @Override
    public KeycloakUriBuilder getLogoutUrl() {
        delegate.getLogoutUrl();
        return KeycloakUriBuilder.fromUri(KeycloakUriBuilder.fromUri(delegate.getAuthServerBaseUrl()).clone()
                .path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH).build(getRealm()).toString());
    }

    //all other overridden methods just delegate
}

It is built in an FactoryBean<AdapterDeploymentContext> which is injected with the AdapterConfig

    @Override
    public AdapterDeploymentContext getObject() throws Exception
    {
        return new AdapterDeploymentContext(
                new BackendLogoutKeycloakDeployment(KeycloakDeploymentBuilder.build(adapterConfig)));
    }

[msavy]

I ended up doing a similar workaround (more manual approach as not using Spring etc); it works well, though. Thanks @kernalex-exx.

One complication is that some of the methods you need to delegate are protected.

Traditionally you might hack that by using 'split package' tricks, but that doesn't work in newer versions of Java+WildFly.

For some of the methods you can work around it by calling a different method in the delegate that triggers the same code paths, and in other cases you don't need the functionality for this flow so you can return null/throw an exception.