[keycloak-dev] Handle case when KC fails to send logout message to some application - KEYCLOAK 782

Michał Choiński kontakt at michalchoinski.pl
Thu Apr 16 05:34:52 EDT 2015

Hi everyone!

I'm a potential GSOC student dreaming of working on "Keycloak - 
Certificate Management" project. I spent last few days analysing the 
code, debuging and looking how it really works on the inside.
I'd like to fix a bug which I've chosen from Jira. The issue number is 

In OAuth 2.0 specification (RFC6749) I found the following parameters 
(within item  Error Response) :

                The authorization server encountered an unexpected
                condition that prevented it from fulfilling the request.
                (This error code is needed because a 500 Internal Server
                Error HTTP status code cannot be returned to the client
                via an HTTP redirect.)

          OPTIONAL.  Human-readable ASCII [USASCII] text providing
          additional information, used to assist the client developer in
          understanding the error that occurred.
          Values for the "error_description" parameter MUST NOT include
          characters outside the set %x20-21 / %x23-5B / %x5D-7E.

So the uri after logout would look like this:

The error_description could be either human readable description or just 
an error code. It should be processed on client side. Keycloak.js should 
be changed to handle it.

These params should be added to OIDCLoginProtocol and of course to 
response when such an error occur.
In first loop iterating on userSessions placed in 
AuthenticationManager.browserLogout there should be saving error when 
backend logout fails. It could be done by adding a note to userSession 
and getting it in finishLogout (first, of course, checking if it exists).

What do you think about the above mentioned solution?

best regards,
Michal Choinski

More information about the keycloak-dev mailing list