keycloak~自定义登出接口

keycloak提供了登出的接口,不过它是一个post方法,需要你根据client_id,client_secret及refresh_token进行登出操作的,有时不太灵活,所以我又自己封装了一下,通过客户端浏览器上存储的session_id进行会话登出。

kc提供的logout

  • api:{{host}}/auth/realms/fabao/protocol/openid-connect/logout
  • 请求方法:POST
  • 请求类型:x-www-form-urlencoded
  • 参数:
refresh_token:xxx
client_id:xxx
client_secret:xxx

对remove-sessions登出的封装

 // keycloak会话登出逻辑
 @GET
 @NoCache
 @Path("remove-sessions")
 public Response deleteSession(@Context HttpRequest request,
 @QueryParam("redirect_uri") String redirectUri) {
 return removeSession(TokenUtils.getKeycloakSessionIdFromCookies(request), redirectUri);
 }
private Response removeSession(String sessionId, String redirectUri) {
 if (redirectUri == null || redirectUri.trim().length() == 0) {
 log.info("redirect_uri不正确");
 return Response.status(400).entity("redirect_uri不正确").type(MediaType.TEXT_HTML).build();
 }
 TokenUtils.removeSession(session, sessionId);//清除会话
 return Response.status(302)
 .location(HttpUtils.formatUrl(HttpUtils.removeUrlSpaceParams(redirectUri)))
 .cookie(CookieUtils.addCookie(TokenUtils.KC_EXIT_LEGACY, "1"))
 .header(HttpHeaders.SET_COOKIE,
 CookieUtils.cookieString(TokenUtils.KC_EXIT, "1", "/", null, null, -1, true, true,
 ServerCookie.SameSiteAttributeValue.NONE))
 .build();
}
public static void removeSession(KeycloakSession session, String sessionId) {
 try {
 if (sessionId != null) {
 RealmModel realmModel = session.getContext().getRealm();
 log.debugf("will remove sessionId:%s", sessionId);
 UserSessionModel userSession = session.sessions().getUserSession(session.getContext().getRealm(), sessionId);
 if (userSession != null) {
 String path = String.format("/auth/realms/%s/", session.getContext().getRealm().getId());
 CookieUtils.expireCookie(session.getContext().getRealm(), TokenUtils.KEYCLOAK_SESSION,
 path, null, false,
 session.getContext().getConnection(), ServerCookie.SameSiteAttributeValue.NONE);
 CookieUtils.expireCookie(session.getContext().getRealm(), TokenUtils.KEYCLOAK_SESSION_LEGACY, path, null,
 false,
 session.getContext().getConnection(), null);
 CookieUtils.expireCookie(session.getContext().getRealm(), TokenUtils.AUTH_SESSION_ID,
 path, null, false,
 session.getContext().getConnection(), ServerCookie.SameSiteAttributeValue.NONE);
 CookieUtils.expireCookie(session.getContext().getRealm(), TokenUtils.AUTH_SESSION_ID_LEGACY, path, null,
 false,
 session.getContext().getConnection(), null);
 AuthenticationManager.backchannelLogout(session,
 realmModel,
 userSession,
 session.getContext().getUri(),
 session.getContext().getConnection(),
 session.getContext().getRequestHeaders(),
 true);
 }
 }
 } catch (Exception ex) {
 log.error(ex);
 }
 }

通过上面的封装,我们在其它对应到keycloak的客户端,直接在浏览器上输入/auth/realms/fabao/sms/remove-sessions?redirect_uri=your-site,就可以把keycloak在当前浏览器里的会话登出了,并重定向到自己的you-site网站。

作者:张占岭原文地址:https://www.cnblogs.com/lori/p/17445039.html

%s 个评论

要回复文章请先登录注册