[keycloak-user] Logout in broker mode doesn't propagate session's termination

Bill Burke bburke at redhat.com
Thu Mar 9 08:59:52 EST 2017 

Looking at the code, LogoutAll seems to expect that all connections are 
OIDC.  Logging out a single session does seem to use the appropriate 
protocol.  I'll dive into our tests to see what coverage we're missing here.



On 3/9/17 4:39 AM, Dmitry Korchemkin wrote:
> I'm killing sessions using keycloak's admin console GUI, namely Session
> tab, where i can either kill a session or send a Revocation message.
>
> I've tried setting up Single Log Out URL's the way examples suggest, i.e.
> for SAML it is set to "
> http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml", as
> specified in xml descriptor. Same with backchannel logout, switching it on
> or off seems to do nothing in this case.
>
> 2017-03-07 21:51 GMT+03:00 <keycloak-user-request at lists.jboss.org>:
>
>> Date: Tue, 7 Mar 2017 08:57:04 -0500
>> From: Bill Burke <bburke at redhat.com>
>> Subject: Re: [keycloak-user] Logout in broker mode doesn't propagate
>>          session's termination
>> To: keycloak-user at lists.jboss.org
>> Message-ID: <dabc3430-e5ed-e834-6f87-dd711b341117 at redhat.com>
>> Content-Type: text/plain; charset=windows-1252; format=flowed
>>
>> How exactly are you killing sessions?  Through the admin console?  Can
>> you specify exactly what operations you are performing.
>>
>> For SAML and OIDC there is a logout URL you have to specify. There's
>> also a "Backchannel Logout" supported switch that has to be true.
>>
>>
>> On 3/7/17 6:33 AM, Dmitry Korchemkin wrote:
>>> I was testing single logout in broker mode and came around this logical,
>>> but not exactly desirable behaviour, when session on the broker and
>> session
>>> on the external idp states are not linked between the idp's.
>>>
>>> My setup is broker saml example provided with keycloak, but instead of an
>>> actual application i log in to the broker using "/account" url. Should be
>>> all the same, since it's just another web-app, protected by this realm.
>>>
>>> The behaviour is as follows:
>>> If i kill a session on the external keycloak idp, the user is not logged
>>> out. I assume since local session is alive and well the token is not
>> being
>>> revoked.
>>>
>>> If i kill a session on the broker keycloak, upon hitting f5 user is
>>> redirected to the broker login page, but when i press external idp login
>>> button, he's logged right back with no credentials asked. I guess since
>> the
>>> session between 2 idp's is still up, broker thinks this user is already
>>> authenticated.
>>>
>>> I tested both oidc and saml, tried different backchannel/frontchannel
>>> toggles in the UI of both broker and external IDP, but this had no
>> visible
>>> effect.
>>>
>>> Can you please clarify if the behaviour observed is expected and normal,
>> or
>>> did i miss some configuration steps?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list