[keycloak-dev] Improve "Logout all" for the realm?

Hynek Mlnarik hmlnarik at redhat.com
Wed Jun 6 04:25:01 EDT 2018 

On Wed, Jun 6, 2018 at 8:48 AM, Marek Posolda <mposolda at redhat.com> wrote:

> On 06/06/18 08:28, Stian Thorgersen wrote:
> >
> >
> > On 5 June 2018 at 22:13, Marek Posolda <mposolda at redhat.com
> > <mailto:mposolda at redhat.com>> wrote:
> >
> >     Hi,
> >
> >     when you click on tab "Sessions", you can see the screen with the:
> >     - counts of Active Sessions
> >     - counts of Offline Sessions
> >     - Button "Logout All"
> >
> >     See the screenshot how the screen currently looks like:
> >     https://pasteboard.co/HowNZ2I.png <https://pasteboard.co/HowNZ2I.png
> >
> >
> >     We have the JIRA https://issues.jboss.org/browse/KEYCLOAK-7055
> >     <https://issues.jboss.org/browse/KEYCLOAK-7055> and the
> >     PR with the discussion
> >     https://github.com/keycloak/keycloak/pull/5126
> >     <https://github.com/keycloak/keycloak/pull/5126> .
> >     In shortcut, JIRA and PR points few issues:
> >     1) There is no way to logout all active sessions only (Keep the
> >     offline
> >     sessions)
> >
> >     2) There is no way to logout all offline sessions only (Keep the
> >     active
> >     sessions)
> >
> >     3) When you click on the button, there is no confirmation dialog. It
> >     seems that "Logout all" is quite an important step and confirmation
> >     should be there.
> >
> >     4) When you click on the button, it will do something between. All
> >     active sessions are cleared from infinispan, but offline sessions are
> >     NOT cleared. There is just realm notBefore policy updated, which
> >     indirectly invalidates the offline sessions, but they are still
> >     kept in
> >     infinispan and DB, which itself is a bug IMO.
> >
> >     So how to address all the issues? I can see something like this:
> >     - Instead of 1 button, have 3 buttons (Logout all active sessions,
> >     Logout all offline sessions, Logout all)
> >
> >
> > Sounds good, but might look a bit messy with those long labels and 3
> > buttons. Do we need 3 buttons? Or is "Logout active" and "Logout
> > offline" sufficient? Do we have a better term for non-offline than
> active?
> The thing is, that with "Logout active" and "Logout offline", you can't
> update notBefore policy. If you update it, you always effectively
> invalidate both kind of sessions.
>
> I was also thinking about keep the single button, but once confirmation
> dialog is displayed, you will have 3 checkboxes in it (push not-before,
> logout active, logout offline) and all checked by default. When you
> uncheck "logout active" or "logout offline", it will also automatically
> uncheck "push not-before" . In other words, "push not-before" always
> require both other checkboxes checked due the reason above.
>
> Is it better regarding usability? I am not sure as admin won't see that
> "Logout all" has more options until he clicks on it and dialog is
> displayed?
>

I'd prefer this suggestion with checkboxes.


> >
> >
> >     - All the buttons will display confirmation dialog
> >
> >
> > +1
> >
> >     - The "Logout all" will also update notBefore policy like it's
> >     done now.
> >     It will clear all the "Active" and "Offline" sessions from
> >     infinispan.
> >     This will be displayed in the confirmation dialog. So confirmation
> >     for
> >     "Logout all" will be like: "Do you want to logout all active sessions
> >     and offline sessions and update realm notBefore policy?" The other 2
> >     buttons won't update not-before policy (we can't do that unless we
> >     have
> >     separate not-before for active sessions and for offline sessions,
> >     but I
> >     vote to not do that considering the required complexity of this).
>

+1 for not separating not-before for offline and active.


> >
> >
> > Should it also clear sessions from the DB?
> Yes
> >
> >
> >     - The message for "Logout all" will be sent to all the clients with
> >     adminUrl (which is already done).
> >
> >     One related issue is, that currently we don't have a way to notify
> >     client applications that offline sessions were invalidated. I was
> >     thinking if we could have a way to register some listener for various
> >     adapter events (Logout all, logout all active/offline sessions,
> >     logout
> >     single active/offline session)? Client application can listen to the
> >     events and do something (EG. remove saved offline token from it's
> DB).
> >
> >
> > I'm not to keen on more bespoke logout protocols. Have we studied the
> > OIDC backchannel/frontchannel specs yet? Is there a way to do this in
> > a standard way?
> Ok, true. I've looked at the specs some time ago, we already partially
> implement something from them.
>
> I remember front-channel logout specs contains some interesting usage of
> iframes (You will display single HTML page with the iframes, where each
> iframe contains the URL to logout single client). Is it pretty
> interesting stuff and seems to be much less error-prone than
> chain-of-redirects approach, which SAML Front-channel logout uses. I've
> proposed to support iframes for SAML Front-channel logout too some time
> ago on this list. I think Bill and Hynek liked it. We just need to
> implement those things :)
>

Yup, it would make things (a) parallel - hence faster, (b) less error-prone
since redirect back to Keycloak is currently needed in SAML frontchannel
logout and if some application fails to do that, the subsequent
applications are not logged out. SAML frontchannel logout via iframes was
almost implemented during cross-dc work but then abandoned because of time.
The JIRA for that is [1] and contains the link to initial implementation.

Just note that the implementation did not consider OIDC frontchannel logout
draft and needs to be adjusted accordingly.

--Hynek

[1] https://issues.jboss.org/browse/KEYCLOAK-5449

More information about the keycloak-dev mailing list