[keycloak-user] Behavior of back-channel logout for starter application

[José Eduardo Paiva Dâmaso]

Correction: I meant logout process (not login) on my first question.
________________________________
From: José Eduardo Paiva Dâmaso <jose.damaso at linkconsulting.com>
Sent: Jun 22, 2017 09:12
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Behavior of back-channel logout for starter application

Hello,

We are observing an issue with the back-channel logout functionality on our clustered application.

The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak).
The issue is as follows:


·         The user logs in to the application and starts an HTTP session on node 2

·         The user logs out (HttpServletRequest.logout)

·         Keycloak starts the single-log-out process and sends a ‘k_logout’ POST to our cluster

·         The ‘k_logout’ POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it’s owned by node 2)

·         The ‘k_logout’ request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1:

o   19:11:08,118 WARN  [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed

My question is why is Keycloak trying to back-channel logout the same client application that started the login process?
Is this the intended behavior, or do we have some wrong configuration?

Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1.
Our Keycloak server is version 2.5.0.

Thanks,
José Dâmaso

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user