I set up a project to be stateless according to this documentation https://vaadin.com/docs/latest/fusion/security/spring-stateless
Authtorization set up through Keycloak:
@Override
protected void configure(HttpSecurity http) throws Exception {
// Set default security policy that permits Vaadin internal requests and
// denies all other
super.configure(http);
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
// Enable OAuth2 login
.oauth2Login(oauth2Login -> oauth2Login.clientRegistrationRepository(clientRegistrationRepository)
.userInfoEndpoint(userInfoEndpoint -> userInfoEndpoint
// Use a custom authorities mapper to get the roles from the identity provider
// into the Authentication token
.userAuthoritiesMapper(authoritiesMapper))
// Use a Vaadin aware authentication success handler
.successHandler(new VaadinSavedRequestAwareAuthenticationSuccessHandler()))
// Configure logout
.logout(logout -> logout
.logoutSuccessHandler(logoutSuccessHandler())
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET")));
setStatelessAuthentication(http,
new SecretKeySpec(Base64.getDecoder().decode(authSecret),
JwsAlgorithms.HS256),
"com.my.app");
}
private OidcClientInitiatedLogoutSuccessHandler logoutSuccessHandler() {
OidcClientInitiatedLogoutSuccessHandler logoutSuccessHandler = new
OidcClientInitiatedLogoutSuccessHandler(
clientRegistrationRepository);
logoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}/");
return logoutSuccessHandler;
}
Authentification works fine, we can see jwt tokens in cookies jwt tokens
But when I click to logout button, I am still logged in. There is a logout function as described here https://vaadin.com/docs/latest/fusion/security/authentication-offline/#removing-an-expired-authentication
export async function logout() {
setSessionExpired();
await logoutImpl();
appStore.clearUserInfo();
location.href = '/logout';
}