You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the logout correctly logs out of the OpenBikeSensor portal, but does not invalidate the keycloak login.
Expected behaviour:
log in
log out via logout on openbikesensor page
click login again
asked for password and username again
actual behaviour:
log in
log out via logout
click login again
logged into last logged in users session WITHOUT being asked for username and password
The problem with this is that there is currently no way for an user to invalidate their session.
This means that for instance when logging in from third party system the next user of that system may be able to access the users data without having to provide credentials.
The text was updated successfully, but these errors were encountered:
There is a possibility of a so-called "backchannel logout" in keycloak, which is exactly this: The application, when ending the user session, sends the user agent to the auth server to terminate the session there as well.
It just needs to be implemented ;)
opatut
changed the title
Logout does not work (keycloak session not invalidated)
Implement back-channel logout
Mar 10, 2022
Currently the logout correctly logs out of the OpenBikeSensor portal, but does not invalidate the keycloak login.
Expected behaviour:
actual behaviour:
The problem with this is that there is currently no way for an user to invalidate their session.
This means that for instance when logging in from third party system the next user of that system may be able to access the users data without having to provide credentials.
The text was updated successfully, but these errors were encountered: