Re: [keycloak-user] Behavior of back-channel logout for starter application

Hi, I'm not sure I correctly understand your problem but as far as I know this is correct behavior. The back-channel logout (k_logout) is meant to notify all clients (even those the user did not access) that this user has logged out, thus allowing them to do cleanup work, e.g. deleting any client-side http sessions, access tokens etc. Mit freundlichen Grüßen i. A. Thomas Göttlich ------------------------------------------------------------- Entwicklung factor:plus +49 (0)731 / 9 35 42 -301 thomas.goettlich(a)it-informatik.de ------------------------------------------------------------- IT-Informatik GmbH Magirus-Deutz-Straße 17, 89077 Ulm Fax: +49 (0)731 / 9 35 42 - 130 www.it-informatik.de ------------------------------------------------------------- Amtsgericht Ulm: HRB 2662 Sitz der Gesellschaft: Ulm USt-IdNr.: DE 145567338 Geschäftsführender Gesellschafter: Günter Nägele -----Ursprüngliche Nachricht----- Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] Im Auftrag von José Eduardo Paiva Dâmaso Gesendet: Donnerstag, 22. Juni 2017 10:17 An: keycloak-user(a)lists.jboss.org Betreff: Re: [keycloak-user] Behavior of back-channel logout for starter application Correction: I meant logout process (not login) on my first question. ________________________________ From: José Eduardo Paiva Dâmaso <jose.damaso(a)linkconsulting.com&gt; Sent: Jun 22, 2017 09:12 To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Behavior of back-channel logout for starter application Hello, We are observing an issue with the back-channel logout functionality on our clustered application. The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak). The issue is as follows: · The user logs in to the application and starts an HTTP session on node 2 · The user logs out (HttpServletRequest.logout) · Keycloak starts the single-log-out process and sends a 'k_logout' POST to our cluster · The 'k_logout' POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it's owned by node 2) · The 'k_logout' request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1: o 19:11:08,118 WARN [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed My question is why is Keycloak trying to back-channel logout the same client application that started the login process? Is this the intended behavior, or do we have some wrong configuration? Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1. Our Keycloak server is version 2.5.0. Thanks, José Dâmaso _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user