How to honour Keycloak sessions when using websockets?

We have a webapp which establishes a socket connection to make calls to backend services.

We authenticate using a Keycloak server. If receive a valid access token from Keycloak, we establish a websocket connection to our backend services.

If the Keycloak session expires, the websocket connection remains intact.

Is anyone aware of any patterns or examples or documentation, which would result in the websocket closing when the Keycloak session expires?

Hey!

are you using Crossbar.io? If so, Crossbar.io supports the WAMP meta API which incudes a procedure to actively kick (another) WAMP-WebSocket session:

https://wamp-proto.org/_static/gen/wamp_latest_ietf.html#wampsessionkill

So in Crossbar.io, I would configure a custom authenticator that authenticates incoming WAMP-WebSocket connection against this Keycloak thingy, and starts a server-side time to call into above meta API to kill the WAMP-WebSocket session whenever the Keycloak token expires.

Cheers,
/Tobias

Thanks heaps Tobias.

Yes, we are using crossbar.io and we are using a custom authenticator, so we are able to implement something along the lines of what you suggest.

thanks
Kenn

cheers
Kenn