Keycloak Session Timeout behavior when using Spring Security Adapter

Question

When using Keycloak and Spring Security with the OIDC Client protocol the application session won't expire when the Keycloak SSO session timeout has already occured. As a result, if a user accesses any parts of the application protected by the Keycloak adapter after the access token has expired Spring Security still has the authentication object. But when the Keycloak adapter checks to see if the Access token is active which it won't be at this point, as a result the adapter (RefreshableKeycloakSecurityContext.java Class) attempts to get a new Access token using the refresh token it has. Since the refresh token has been invalidated in Keycloak the adapter throws

Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"}

So, the user can still navigate and access any part of the application, without being taken to login page to re-authenticate.

Any tips/ideas how can I achieve the desired behavior, so that when the Keycloak SSO Session expires the user will be redirected to login page and Spring authentication will invalidated?

Spring-Security: 4.0.4.RELEASE
Keycloak Spring Security Adapter: 3.4.2.Final
Keycloak Server: 3.4.3.Final

Answer 1

There seems to something missing from the xml configuration section of the Keycloak documentation. There is a filter to be used for checking the token and logging the user out if it can't be refreshed, KeycloakSecurityContextRequestFilter.

So if you are using XML config based on the documentation, you have to add the following bean:

<bean id="keycloakSecurityContextRequestFilter"
          class="org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter" />

And then add this to the security:http configuration:

<security:custom-filter ref="keycloakSecurityContextRequestFilter" after="FORM_LOGIN_FILTER" />