Jmix + Keycloak (SSO)

There is a problem with the implementation of SSO via Keycloak.

1. How do I track the status of a keycloak session? When I log in to my keycloak account, and then log into the jmix application via keycloak, I log in without asking for a username/password and vice versa (this is the correct behavior). The problem arises with the output. If I logged in to the mix application and in my keycloak account, then I logout in my keycloak account, and the jmix application continues to work, despite the fact that the keycloak session is no longer there. This is critically important, when exiting one application, log out and in all others connected by the same session!

2. Is it possible to configure the keycloak configuration of the client and the resource server in the same jmix application so that when the user navigates to any page from the UI of the jmix application, the access token is validated with a request to keycloak. Perhaps this would solve the first question.

Hi,

Jmix application like any regular vaadin application stores authentication in a regular servlet session. JWT token is not sent on each navigation to application page, so there is no way to validate access tokens because there are no access tokens there.

Speaking about the the logging out from the application when a user has logged out from another one - the back-channel logout is not supported in OIDC add-on. I’ve created an issue for this.

If you want to implent this in your own project, you can always disable the standard Jmix OIDC auto-configuration and provide your own one. An example of how to do this can be found in this topic