[keycloak-user] User sessions not ending upon automatic logout

[Kyle Swensson]

Hello,


I am having an issue with refresh tokens while using keycloak with the
Tomcat adapter. I'm using Keycloak 2.3.0 and Tomcat 7

The issue arises when I authenticate with keycloak as a basic user using
tomcat. When this happens a session is started for my basic user, which I
believe means that I am given a refresh token. Then, I navigate to the
Keycloak Admin Console page on a different window. Since I am authenticated
as a basic user, since Keycloak uses SSO it will try to automatically log
my current user into the Admin Console, but it will fail since my basic
user is not configured to be able to use the admin console. After it fails,
Keycloak "logs out" my current user because I don't have permissions to
access the admin console.

The problem is that this "logout" that Keycloak just did doesn't end the
basic user's session for some reason, and thus it doesn't invalidate their
refresh token. This is a problem because it means that if I go back to my
basic user's application, even though keycloak supposedly logged me out, I
can still use the refresh token to get more access tokens for the
application, and thus continue using the application as normal even though
I'm not technically logged in. Worse still, the logout functionality ceases
to work because since Keycloak thinks my user isn't logged in, telling
Keycloak to log my user out doesn't work. This makes it so that the only
way to actually invalidate my current refresh token is by going to "My
Account" as the basic user, and ending all current sessions for them.

It's worth noting that this *only *happens when the basic user is
automatically logged out when Keycloak tries to sign it in to the admin
console automatically. For example, if I have the admin console window open
before I log my basic user in, and then while I am logged in with my basic
user I log in normally to the admin console with a different user, Keycloak
will successfully log out my basic user and end their session, invalidating
their refresh token, like it should.


I'm wondering if this is an actual bug with Keycloak, or if this is just
being caused by some user error on my side, because I can't really figure
out a workaround for this issue. One potential workaround that I have found
is enabling "Revoke Refresh Token" in the "Tokens" tab of the "Realm
Settings" section of the Keycloak admin console, however this is making my
application run quite strangely, and I'm not certain why.

If upgrading to Keycloak 3.0 would fix the problem I can do that, however
it will likely be a fair bit of work so I don't really want to upgrade
unless I'm certain it will fix the problem.