jacekkow/keycloak-protocol-cas

Session activity not forwarded to Keycloak server

ValentinLorand opened this issue · 2 comments

Hello,

I'm using the CAS Keycloak extension to authenticate users from an external storage provider.

Keycloak version : 21.1.2

I'm facing a problem regarding sessions.

List of working feature :

  • I can log in and log out correctly.
  • If I delete manually the session on the Keycloak side (Server), I'm logged out
  • If I delete manually the session on the Application side (Client), I'm logged out.

So far so good, but if I'm active in my application, the session on the Keycloak side doesn't seem to perceive this activity. For example, the Last access column in session tab of Keycloak will not be updated even though I'm performing actions in my Java application.

Capture d’écran du 2023-07-03 16-53-17

As a result, after a few minutes the session on the keycloak side expires because it was inactivated. My client-side session doesn't expire because of my recent activity. So I find myself in a situation where I'm connected to my Java application but there's no remains session on the Keycloak side.

At first, I wondered whether the problem comes from my cas-client used in my Java application. So I made the test with this following project:

https://github.com/cas-projects/cas-sample-java-webapp.

When I authenticate to my Keycloak server from this sample application, I have exactly the same problem. The server-side session (Keycloak) doesn't seem to detect user activity.

I tried many different configurations of my realm sessions but nothing seems fix my problem.

I don't know if it's a well-known problem but it's a blocker for me

Best Regards,
Valentin

There cannot be any "activity" related to the service ticket. Per CAS protocol specs:

  • Service tickets MUST only be valid for one ticket validation attempt.
  • It is RECOMMENDED that the duration a service ticket is valid before it expires be no longer than five minutes.

So after one validation attempt (login) the ticket is no longer valid and cannot be used to indicate any kind of user activity.

CAS is a very simple protocol and you expect more than it can provide. Just switch to OpenID Connect, which is natively supported by Keycloak.

This could be a thing with multi-use proxy-granting-tickets, but this project does not support it - as mentioned in README:

The following features are missing:

  • Proxy ticket service and proxy ticket validation [CAS 2.0]

Thanks for you reply !

Indeed, after digging into the subject, I noticed that there was no communication between the client and the server after the ticket had been issued.

So, I implemented my own ticket renewal behavior. I associate a maximum lifetime at each delivered ticket. For each user action, I check on the client side that the ticket is still valid. When the maximum duration is reached, I invalidate the session on the client side. This forces a connection attempt and automatically renews the ticker on the server side.

It works well ! This solution avoid to have a session still alive on the client side but no session on the server side.