I have a Spring Boot application that is configured as a Spring Security OAuth2 Client. I use Keycloak as my OIDC provider. I serve a compiled Angular application from my Spring Boot application. The Angular app keeps making requests every second to a REST API in the Spring Boot Application.
When the user opens this application in the browser at localhost:4881, they're redirected to the Keycloak login page and after a successful login, they're redirected back to localhost:4881 where the compiled Angular app is rendered.
When a user logs in, I see two sessions created in Keycloak, one called Regular SSO
and the other Offline
. The Regular SSO
session gets cleared out as per the SSO Idle Timout. However, the Offline session remains for a longer duration in Keycloak but gets cleared from Keycloak eventually.
I am unable to redirect the UI to the Keycloak login page after the SSO Session Idle/ SSO Session Max timeout. My assumption is that Keycloak should communicate this session timeout event to the OAuth2 Client and the OAuth2 Client should redirect the UI to the Keycloak Login page for all following requests.
Can someone please tell me if I'm missing something here. I was unsuccessful in finding relevant documentation for this problem.
I set the SSO Session Idle
, SSO Session Max
and the Offline Session Settings
at the realm level.
I've set the Admin URL
in the client as well.
I have created a sample application with the exact same setup here: https://github.com/sakethsusarla/keycloak-oauth2-client-ui
backend
: A Spring Boot Application configured as an OAuth2 Client, returns the current time through a REST API exposed at /api/currentTime
frontend
: An Angular App that fetches current time from the backend
realm
: The realm configuration is present in "keycloak-oauth2-client-ui\backend\src\main\resources\demo-realm.json"
The username and password to login are demo
and demo
After reading that Keycloak doesn't initiate a Backchannel Logout if a session expires, I decided to add a filter to check the validity of the token and invalidate the session if required.
Adding the following filter worked for me. I've updated my repository with the changes in the
main
branch.