Hi Stian,

You are the assignee in KEYCLOAK-3202, so I addressed this email to you directly.

I guess that this issue could be the cause of trouble in our production environment.

There are 4 EAP-6 nodes with Keycloak adapters and 2 Keycloak 1.9.4 standalone servers running in 2 clusters respectively.

We experience logout failures approximately after one and a half days of operation.
Restarting EAP 6 nodes temporary resolves the logout problem.

Durable load tests in out test environment showed that login and logout of existing users don't result in above behaviour.

We added to the durable load test additional scenario creating new users and were able to reproduce logout failure: users are getting empty page and not the login screen as expected. Page reload navigates back into the protected web application .

Logout is accomplished in a Java web applictaion by calling OIDC logout endpoint:

FacesContext
                .getCurrentInstance()
                .getExternalContext()
                .redirect(keycloakDeployment.getLogoutUrl().queryParam("redirect_uri", redirectURL).toTemplate());

Logout is initiated via h:commandLink, so I suppose that the OIDC logout endpoint is called via the GET method. Should we use the POST method instead?

Has servlet logout any advantages?

((HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest()).logout();

I'd appreciate quick response, because restarting production EAP cluster every day is not a pleasant option ;-)

Thank you in advance

Kind regards

Valerij Timofeev