Hi, I'm not sure I correctly understand your problem but as far as I know this is correct behavior. The back-channel logout (k_logout) is meant to notify all clients (even those the user did not access) that this user has logged out, thus allowing them to do cleanup work, e.g. deleting any client-side http sessions, access tokens etc. Mit freundlichen Grüßen i. A. Thomas Göttlich ------------------------------------------------------------- Entwicklung factor:plus +49 (0)731 / 9 35 42 -301 thomas.goettlich(a)it-informatik.de ------------------------------------------------------------- IT-Informatik GmbH Magirus-Deutz-Straße 17, 89077 Ulm Fax: +49 (0)731 / 9 35 42 - 130 www.it-informatik.de ------------------------------------------------------------- Amtsgericht Ulm: HRB 2662 Sitz der Gesellschaft: Ulm USt-IdNr.: DE 145567338 Geschäftsführender Gesellschafter: Günter Nägele -----Ursprüngliche Nachricht----- Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] Im Auftrag von José Eduardo Paiva Dâmaso Gesendet: Donnerstag, 22. Juni 2017 10:17 An: keycloak-user(a)lists.jboss.org Betreff: Re: [keycloak-user] Behavior of back-channel logout for starter application Correction: I meant logout process (not login) on my first question. ________________________________ From: José Eduardo Paiva Dâmaso <jose.damaso(a)linkconsulting.com&gt; Sent: Jun 22, 2017 09:12 To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Behavior of back-channel logout for starter application Hello, We are observing an issue with the back-channel logout functionality on our clustered application. The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak). The issue is as follows: · The user logs in to the application and starts an HTTP session on node 2 · The user logs out (HttpServletRequest.logout) · Keycloak starts the single-log-out process and sends a 'k_logout' POST to our cluster · The 'k_logout' POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it's owned by node 2) · The 'k_logout' request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1: o 19:11:08,118 WARN [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed My question is why is Keycloak trying to back-channel logout the same client application that started the login process? Is this the intended behavior, or do we have some wrong configuration? Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1. Our Keycloak server is version 2.5.0. Thanks, José Dâmaso _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi, as far as I know Keycloak doesn't care which client called the logout url, especially since in most cases it would be the user's browser that calls that url and which gets the redirect as a response. Thus Keycloak probably assumes that none of the clients (especially the backend systems) don't know when the logout url is being called via their frontend and hence Keycloak informs all clients. If I understand you correctly your client does the call on behalf of the user so you might try to do something like this: - push some flag into the user's http session - call the logout url - do your required cleanup - remove the flag from the http session Then you'd probably need to modify the adapter so that upon k_logout being called it checks the current http session (it should know which that is anyways) and if the flag is present it would just ignore the call. Mit freundlichen Grüßen i. A. Thomas Göttlich ------------------------------------------------------------- Entwicklung factor:plus +49 (0)731 / 9 35 42 -301 thomas.goettlich(a)it-informatik.de ------------------------------------------------------------- IT-Informatik GmbH Magirus-Deutz-Straße 17, 89077 Ulm Fax: +49 (0)731 / 9 35 42 - 130 www.it-informatik.de ------------------------------------------------------------- Amtsgericht Ulm: HRB 2662 Sitz der Gesellschaft: Ulm USt-IdNr.: DE 145567338 Geschäftsführender Gesellschafter: Günter Nägele -----Ursprüngliche Nachricht----- Von: José Eduardo Paiva Dâmaso [mailto:jose.damaso@linkconsulting.com] Gesendet: Donnerstag, 22. Juni 2017 15:49 An: Göttlich, Thomas <thomas.goettlich(a)it-informatik.de>; keycloak-user(a)lists.jboss.org Betreff: RE: [keycloak-user] Behavior of back-channel logout for starter application Hi, Thanks for the response. I understand the point of the back-channel logout process to notify other clients. My question is why does Keycloak notify the same client that is requesting the logout? It should be assumed that the client that requested the logout will do its own cleanup, no? In our case, this causes a deadlock because our app waits for Keycloak to finish the logout but Keycloak is waiting for that same app to process a back-channel logout that itself has requested. Best regards, José Dâmaso -----Original Message----- From: Göttlich, Thomas [mailto:thomas.goettlich@it-informatik.de] Sent: 22 de junho de 2017 12:12 To: José Eduardo Paiva Dâmaso <jose.damaso(a)linkconsulting.com>; keycloak-user(a)lists.jboss.org Subject: AW: [keycloak-user] Behavior of back-channel logout for starter application Hi, I'm not sure I correctly understand your problem but as far as I know this is correct behavior. The back-channel logout (k_logout) is meant to notify all clients (even those the user did not access) that this user has logged out, thus allowing them to do cleanup work, e.g. deleting any client-side http sessions, access tokens etc. Mit freundlichen Grüßen i. A. Thomas Göttlich ------------------------------------------------------------- Entwicklung factor:plus +49 (0)731 / 9 35 42 -301 thomas.goettlich(a)it-informatik.de ------------------------------------------------------------- IT-Informatik GmbH Magirus-Deutz-Straße 17, 89077 Ulm Fax: +49 (0)731 / 9 35 42 - 130 www.it-informatik.de ------------------------------------------------------------- Amtsgericht Ulm: HRB 2662 Sitz der Gesellschaft: Ulm USt-IdNr.: DE 145567338 Geschäftsführender Gesellschafter: Günter Nägele -----Ursprüngliche Nachricht----- Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] Im Auftrag von José Eduardo Paiva Dâmaso Gesendet: Donnerstag, 22. Juni 2017 10:17 An: keycloak-user(a)lists.jboss.org Betreff: Re: [keycloak-user] Behavior of back-channel logout for starter application Correction: I meant logout process (not login) on my first question. ________________________________ From: José Eduardo Paiva Dâmaso <jose.damaso(a)linkconsulting.com&gt; Sent: Jun 22, 2017 09:12 To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Behavior of back-channel logout for starter application Hello, We are observing an issue with the back-channel logout functionality on our clustered application. The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak). The issue is as follows: · The user logs in to the application and starts an HTTP session on node 2 · The user logs out (HttpServletRequest.logout) · Keycloak starts the single-log-out process and sends a 'k_logout' POST to our cluster · The 'k_logout' POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it's owned by node 2) · The 'k_logout' request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1: o 19:11:08,118 WARN [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed My question is why is Keycloak trying to back-channel logout the same client application that started the login process? Is this the intended behavior, or do we have some wrong configuration? Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1. Our Keycloak server is version 2.5.0. Thanks, José Dâmaso _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user