我有一个 Keycloak 领域,其中一些用户作为 nodejs + typescript 项目的 IdP。
如果我按下全部注销,它们会从这里消失,但它们仍然有效。
例子:
1) I create a new session. I get its JWT token as a response
2) I do a GET req on one of the protected routes with the token attached. It works.
4) I logout all sessions by pressing the button in that photo
5) I do the same GET req on the same protected route. It still works.
I expect it NOT to work, because I previously logged out all sessions.
这是我的密钥斗篷配置
import express, {Application} from 'express';
import { Keycloak as KeycloakType } from "keycloak-connect";
var session = require('express-session');
var Keycloak = require('keycloak-connect');
let _keycloak: KeycloakType;
var memoryStore = new session.MemoryStore();
let kcConfig = {
clientId: 'restapi',
bearerOnly: true,
serverUrl: 'http://localhost:8080/auth',
realm: 'supercatalog',
realmPublicKey: 'deleted'
};
function getKeycloak() {
if (_keycloak) {
return _keycloak;
}
console.log("Initializing Keycloak...");
_keycloak = new Keycloak({ store: memoryStore }, kcConfig);
return _keycloak;
}
export {getKeycloak, memoryStore};
我的受保护路线
router.get('/', keycloak.protect(), async (req:Request, res:Response):Promise<void> => {
var bearerToken: string = await (await keycloak.getGrant(req, res)).toString() as string;
var decoded: any = jwtDecode(bearerToken);
console.log(decoded.resource_access.restapi.roles);
res.send("hello");
});
我误解了令牌流程吗?