Keycloak sessions filled
narkuss opened this issue · 4 comments
BUG
I'm using Alfresco 6.2 with ADF and keycloak integration. When I access Active Sessions menu in admin console, every call to the webscript /alfresco/s/ootbee/admin/active-sessions creates a new session in keycloak, visible from keycloak admin console.
I'm new to keycloak, maybe it's due to a misconsfiguration, or maybe it's an Alfresco issue regarding keycloak integration, because an active session is tracked when I login to share, but when I logout this session reamains in keycloak.
Expected behavior
I don't know, I suppose a new session should not be created in keycloak at every webscript call.
Actual behavior
New session created in keycloak for every webscript called
Steps to reproduce the behavior
Install Alfresco 6.2 with keycloak integration. You can follow this to get keycloak to work. You can use this to get a working project to test.
Additional details (analysis so far, log statements, references, etc.)
Tell us about your environment
docker-compose local installation
alfresco6.2.0-ga
share6.2.0
Alfresco-content-application, master tag
T-engines, postgres, activemq, etc etc...
When you have Keycloak or any other SSO configured in Alfresco, you should typically use /alfresco/wcs/xxx type URLs, as only /wcs/ is enabled to support the SSO capabilities. When using /s/ you are essentially always using HTTP Basic with Alfresco, and on every request, Alfresco will perform a password-based authentication using your HTTP Basic credentials against Keycloak - and this is causing your session list in Keycloak being filled. Please switch to using /wcs/, which should also use HTTP session to keep track of authentications instead of re-authenticating on every request. Now, there is still some chance that this will not 100% fix your issue - Alfresco's Keycloak integration is extremely naiive / trivial, which is why I started working on my own module. But you can at least eliminate the "incorrect use" aspect on this issue.
Thanks for your response. I tried to change Alfresco endpoints in share, changing share-config-custom.xml endpoints from /s to /wcs in shared/classes/alfresco/web-extension folder. It keeps maintaining the session when I logout.
On the other side, accessing http://localhost/alfresco/wcs/ootbee/admin/active-sessions/users adds a session to keycloak too, nothing changes.
I will raise an issue to Alfresco instead of here. Thanks for your help.
PD: Will your keycloak authentication subsystem be opensourced?
Your experience with using the /wcs endpoint confirms my suspicions (why I said there was a chance that it would not fix your issue). My Keycloak authentication subsystem will support that. And yes, my Keycloak subsystem will be open source - it actually already is, albeit in an initial version which only adds Keycloak support to Share. I am using some of my free time before start of regular business next week to continue work on the next version, adding more elaborate support on the Repository-tier (including user / group synchronisation).
Nice, I think this issue could be closed, as it is more related to Alfresco than to this project, as you stated before.
I'll take a look to your Keycloak authentication subsystem, thanks for all!