[keycloak-user] Behavior of back-channel logout for starter application
José Eduardo Paiva Dâmaso
jose.damaso at linkconsulting.com
Thu Jun 22 04:11:15 EDT 2017
Hello,
We are observing an issue with the back-channel logout functionality on our clustered application.
The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak).
The issue is as follows:
· The user logs in to the application and starts an HTTP session on node 2
· The user logs out (HttpServletRequest.logout)
· Keycloak starts the single-log-out process and sends a ‘k_logout’ POST to our cluster
· The ‘k_logout’ POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it’s owned by node 2)
· The ‘k_logout’ request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1:
o 19:11:08,118 WARN [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed
My question is why is Keycloak trying to back-channel logout the same client application that started the login process?
Is this the intended behavior, or do we have some wrong configuration?
Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1.
Our Keycloak server is version 2.5.0.
Thanks,
José Dâmaso
More information about the keycloak-user
mailing list