generator-jhipster: Jhipster - Keycloak and session killed/expired : already accessed service still allowed, others forbidden
Overview of the issue
When I kill a user’s session in keycloak, the user call still access the services used previously with the same token. However, others services can’t be access.
When accessing a service, the jhipster generated code calls the OIDC provider to check if the token is valid. Then, it stores the token’s infos in its cache and uses it on the next call with the same token. Good idea to avoid traffic between service and keycloak, but if the session is killed after the first call, the token is still valid for the second, but a call to another service with the same token will fail.
Motivation for or Use Case
I think the user would expect 2 possibilities after its session has been killed, he can access all services until the token expired OR ha can’t access anything. But here, he can access only some services.
I’m maybe wrong, but I think that jwt is stateless and OAuth2 allows to check token locally, so jhipster could decode the token locally with the public key of the OIDC server. It would be more coherent for the user.
Reproduce the error
Suggest a Fix
Check token locally with public key of the OIDC server
JHipster Version(s)
generator-jhipster@4.13.3
JHipster configuration, a .yo-rc.json file generated in the root folder
.yo-rc.json file
{
"generator-jhipster": {
"promptValues": {
"packageName": "be.civadis.efinancegateway"
},
"jhipsterVersion": "4.13.3",
"baseName": "efinancegateway",
"packageName": "be.civadis.efinancegateway",
"packageFolder": "be/civadis/efinancegateway",
"serverPort": "8080",
"authenticationType": "oauth2",
"cacheProvider": "hazelcast",
"enableHibernateCache": true,
"websocket": false,
"databaseType": "sql",
"devDatabaseType": "postgresql",
"prodDatabaseType": "postgresql",
"searchEngine": false,
"messageBroker": false,
"serviceDiscoveryType": "eureka",
"buildTool": "maven",
"enableSocialSignIn": false,
"enableSwaggerCodegen": false,
"clientFramework": "angularX",
"useSass": false,
"clientPackageManager": "yarn",
"applicationType": "gateway",
"testFrameworks": [
"protractor"
],
"jhiPrefix": "jhi",
"enableTranslation": false
}
}
JDL for the Entity configuration(s) entityName.json files generated in the .jhipster directory
JDL entity definitions
entity BonCommande (bon_commande) {
date Instant,
numero Integer,
type String,
statut String,
fournisseurCode String,
articleBudgCode String,
articleBudgExercice Long
}
entity NatureDepense (nature_depense) {
type String,
code String,
libelle String
}
entity Contexte (contexte) {
date Instant,
type String,
numeroObjet String,
numeroCSC String
}
entity Action (action) {
date Instant,
type String,
commentaire String,
user String
}
entity CentreEmetteur (centre_emetteur) {
code String,
libelle String,
adresse String,
numero String,
ville String,
codePostal String,
numeroIban String
}
entity ListeCollege (liste_college) {
numero Long,
date Instant,
exercice Integer,
clotureListe Boolean,
datePassageCollege Instant,
acterCollege Boolean
}
entity Article (article) {
code String,
libelle String,
quantite Double,
prixUnitaire Double,
tva Double,
total Double,
commentaire String
}
entity NaturePatrimoine (nature_patrimoine) {
code String,
libelle String
}
entity Service (service) {
code String,
libelle String,
actif Boolean
}
entity Fournisseur (fournisseur) {
nom String,
prenom String,
numNat String,
numTVA String,
rue String,
numero String,
codePostal String,
ville String,
pays String,
rueEnvoi String,
numeroEnvoi String,
codePostalEnvoi String,
villeEnvoi String,
paysEnvoi String
}
entity ArticleBudg (article_budg) {
exercice Integer,
code String,
nom String,
type String,
serviceBudget String,
millesime Integer,
isMillesime Boolean,
assujettissementTVA String,
budgetInitial Double,
budgetEnCours Double,
creditsEnCours Double,
tousCredits Double,
montantReserveNonEngage Double,
montantEngage Double,
montantImpute Double,
disponible Double,
compteNMoins1 Double,
compteNMoins2 Double,
compteNMoins3 Double,
compteNMoins4 Double,
compteNMoins5 Double,
montantAdapteNMoins1 Double,
budgetNMoins1 Double,
groupeEconomique String,
codeEconomique String,
codeFonctionnel String,
codeProjet String,
codeEconomiqueComplet String
}
entity Imputation (imputation) {
numero Integer,
libelle String,
tiers String,
tiersBenef String,
montantImputation Double,
montantOp Double,
dateComptable Instant,
dateEcheance Instant
}
entity EngagementDefinitif (engagement_definitif) {
exercice Integer,
numero Integer,
libelle String,
tiers String,
montantEd Double,
montantPe Double,
montantImput Double,
montantOp Double,
montantPayeExt Double,
dateComptable Instant,
dateEcheance Instant
}
entity OrdrePaiement (ordre_paiement) {
dateComptable Instant,
montantPayeOp Double
}
entity ExtraitCompte (extrait_compte) {
dateExtrait Instant,
montantPaye Double
}
entity NonEngage (non_engage) {
numeroCommande Integer,
fournisseur String,
montantTVAC Double,
etatCommande String
}
entity DroitConstate (droit_constate) {
numero Integer,
libelle String,
tiers String,
tiersBenef String,
montantAPercevoir Double,
montantHtvaDef Double,
montantTvacDef Double,
montantHtvaNv Double,
montantTvacNv Double,
pieceJustificative String
}
relationship OneToMany {
BonCommande{contexte} to Contexte{bonCommande},
BonCommande{action} to Action{bonCommande},
BonCommande{article} to Article{bonCommande},
ArticleBudg{imputation} to Imputation{articleBudg},
ArticleBudg{engagementDefinitif} to EngagementDefinitif{articleBudg},
Imputation{ordrePaiement} to OrdrePaiement{imputation},
Imputation{extraitCompte} to ExtraitCompte{imputation},
ArticleBudg{nonEngage} to NonEngage{articleBudg},
ArticleBudg{droitConstate} to DroitConstate{articleBudg}
}
relationship ManyToOne {
BonCommande{natureDepense} to NatureDepense,
BonCommande{centreEmetteur} to CentreEmetteur,
BonCommande{naturePatrimoine} to NaturePatrimoine,
BonCommande{service(serviceCode)} to Service,
BonCommande{fournisseur} to Fournisseur,
BonCommande{articleBudg} to ArticleBudg,
CentreEmetteur{service(serviceCode)} to Service,
EngagementDefinitif{imputation} to Imputation
}
relationship ManyToMany {
ListeCollege{bonCommande} to BonCommande
}
paginate BonCommande, NatureDepense, Contexte, Action, CentreEmetteur, ListeCollege, Article, NaturePatrimoine, Service, Fournisseur, ArticleBudg, Imputation, EngagementDefinitif, OrdrePaiement, ExtraitCompte, NonEngage, DroitConstate with pagination
service BonCommande with serviceClass
microservice BonCommande, NatureDepense, Contexte, Action, CentreEmetteur, ListeCollege, Article, NaturePatrimoine, Service with ecommandeservice
microservice Fournisseur with stcservice
microservice ArticleBudg, Imputation, EngagementDefinitif, OrdrePaiement, ExtraitCompte, NonEngage, DroitConstate with financeservice
Environment and Tools
java version “1.8.0_161” Java™ SE Runtime Environment (build 1.8.0_161-b12) Java HotSpot™ Client VM (build 25.161-b12, mixed mode)
git version 2.15.0.windows.1
node: v9.1.0
npm: 5.5.1
yeoman: 2.0.0
yarn: 1.3.2
Docker version 17.12.0-ce, build c97c6d6
docker-compose version 1.18.0, build 8dd22a96
Browsers and Operating System
Windows 10, OS X Chrome, Firefox
- [V] Checking this box is mandatory (this is just to show you read everything)
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 18 (10 by maintainers)
I tried, same problem, tokens are still validated on the server I put this config under security.oauth2.resource: filter-order: 3 user-info-uri: http://localhost:9080/auth/realms/{realm}/protocol/openid-connect/userinfo token-info-uri: http://localhost:9080/auth/realms/{realm}/protocol/openid-connect/token/introspect prefer-token-info: false #jwt.key-uri: http://localhost:9080/auth/realms/jhipster jwk.key-set-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/certs
FYI, My app is multitenant, so I use {realm} to inject the realm associated with the current tenant, I 've defined a custom bean to inject it. @Bean(name = “multiResourceServerProperties”) @Primary public ResourceServerProperties multiResourceServerProperties(){ return new MultiResourceServerProperties(); }
@mraible Thank you for your help, but most important, enjoy your vacation !
@warnonphilippe Thanks for taking the time to look into this and confirm the latest configuration doesn’t fix things. Unfortunately, I won’t have time to dig in and try to fix this until after my upcoming vacation. I’ll be offline from March 23 - April 3.