Logging-out from Keycloak within multiple browser tabs

[schwichti]

Hi,

I have a React App that uses OIDC client that authorizes with a Keycloak server (among others). In principle, that works great, but I have discovered a minor problem:

When I am logged-in, open a new page of the app in a new browser tab and then log-out and log-in in the second tab, I see the following error message: "An error occurred, please login again through your application."

These are my oidc client settings:

{
  metadataUrl: `${config.OIDC_URL}realms/MyRealm/.well-known/openid-configuration`,
  authority: config.OIDC_URL,
  client_id: config.OIDC_CLIENT_ID,
  redirect_uri: window.location.href,
  post_logout_redirect_uri: config.OIDC_POST_LOGOUT_REDIRECT_URI,
  response_type: 'code',
  scope: 'openid profile',
  silent_redirect_uri: config.OIDC_SILENT_REDIRECT_URI,
  automaticSilentRenew: false, 
  accessTokenExpiringNotificationTime: 30, 
  filterProtocolClaims: true,
  loadUserInfo: true,
}

I noticed that after I have logged out in the second tab, the KC_RESTART cookie is not present. I have traced the network traffic between the app and Keycloak and exported that as curl:

curl "https://login-staging.example.org/auth/realms/MyRealm/protocol/openid-connect/logout
?id_token_hint=eyJhb...
&post_logout_redirect_uri=https^%^3A^%^2F^%^2Fcloud-staging.example.org^%^2Fportal" ^
  -H "cookie: 
  AUTH_SESSION_ID=e8de6124-eb5f-4473-ae8e-8d36f1f9c229.keycloak-staging-0; 
  KEYCLOAK_SESSION=MyRealm/7feaf565-9da0-49f2-9cd4-905cd91cb12e/e8de6124-eb5f-4473-ae8e-8d36f1f9c229; 
  KEYCLOAK_IDENTITY=eyJhb...

curl "https://login-staging.example.org/auth/realms/MyRealm/protocol/openid-connect/auth
?client_id=saas-client^
&redirect_uri=https^%^3A^%^2F^%^2Fcloud-staging.example.org^%^2Fportal^
&response_type=code^
&scope=openid^%^20profile^
&state=6f5f467069894bedbf44c0adf3baabfe^
&code_challenge=2GLv94vxCbOY66RS7we5697QmrK8xrj4pDq6sT48Lbo^
&code_challenge_method=S256^
&response_mode=query" ^
-H "cookie: 
AUTH_SESSION_ID=e8de6124-eb5f-4473-ae8e-8d36f1f9c229.keycloak-staging-0" ^

curl "https://login-staging.example.org/auth/realms/MyRealm/login-actions/authenticate
?session_code=rpd0qFQjki1sJ-qXZXpMdpwYyAhfZKzQyX1hAI6Ye7E^
&execution=1b60d7b9-74ac-45f2-afbe-75072b53b8de^
&client_id=saas-client^
&tab_id=0V1C3jaFAtM" ^
-H "cookie: 
AUTH_SESSION_ID=e7738fb3-3267-4343-8575-1ba25de7c205.keycloak-staging-0" ^

I also replaced oidc client with keycloakJS to see any differences. I do not have the problem with keycloakJS. Here is the trace:

curl "https://login-staging.example.org/auth/realms/MyRealm/protocol/openid-connect/logout
  ?post_logout_redirect_uri=http^%^3A^%^2F^%^2Flocalhost^%^3A3000^%^2F" ^
  -H "authority: login-staging.example.org" ^
  -H "upgrade-insecure-requests: 1" ^
  -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" ^
  -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" ^
  -H "sec-fetch-site: cross-site" ^
  -H "sec-fetch-mode: navigate" ^
  -H "sec-fetch-user: ?1" ^
  -H "sec-fetch-dest: document" ^
  -H "accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7" ^
  -H "cookie: 
  AUTH_SESSION_ID=9f264cd5-e1b1-4f5d-ac96-ef770b6cdb20.keycloak-staging-0; 
  KEYCLOAK_SESSION=MyRealm/7feaf565-9da0-49f2-9cd4-905cd91cb12e/9f264cd5-e1b1-4f5d-ac96-ef770b6cdb20; 
  KEYCLOAK_IDENTITY=eyJhbGci...
  --compressed

  curl "https://login-staging.example.org/auth/realms/MyRealm/protocol/openid-connect/auth
  ?client_id=saas-client^
  &redirect_uri=http^%^3A^%^2F^%^2Flocalhost^%^3A3000^%^2F^
  &state=b833a686-5a2a-4b35-8f2f-7fbe1eee14ef^
  &response_mode=fragment^
  &response_type=code^
  &scope=openid^
  &nonce=b81b66a9-b449-4028-b52e-f4037b3973d5^
  &code_challenge=5825AlDas7DFVbDSqyJ5w2H-dtrp2nUp2FcFZaNHktw^
  &code_challenge_method=S256" ^
  -H "authority: login-staging.example.org" ^
  -H "upgrade-insecure-requests: 1" ^
  -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" ^
  -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" ^
  -H "sec-fetch-site: cross-site" ^
  -H "sec-fetch-mode: navigate" ^
  -H "sec-fetch-dest: document" ^
  -H "referer: http://localhost:3000/" ^
  -H "accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7" ^
  -H "cookie: 
  AUTH_SESSION_ID=9f264cd5-e1b1-4f5d-ac96-ef770b6cdb20.keycloak-staging-0" ^

  curl "https://login-staging.example.org/auth/realms/MyRealm/login-actions/authenticate
  ?session_code=AfQKhCLa2PpCuqcOQCp_g73lQe0jZrWAb8_XFYmzkjw^
  &execution=1b60d7b9-74ac-45f2-afbe-75072b53b8de^
  &client_id=saas-client^
  &tab_id=xlivPLTggLw" ^
  -H "authority: login-staging.example.org" ^
  -H "cache-control: max-age=0" ^
  -H "upgrade-insecure-requests: 1" ^
  -H "origin: https://login-staging.example.org" ^
  -H "content-type: application/x-www-form-urlencoded" ^
  -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" ^
  -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" ^
  -H "sec-fetch-site: same-origin" ^
  -H "sec-fetch-mode: navigate" ^
  -H "sec-fetch-user: ?1" ^
  -H "sec-fetch-dest: document" ^
  -H "referer: https://login-staging.example.org/auth/realms/MyRealm/protocol/openid-connect/auth?client_id=saas-client^&redirect_uri=http^%^3A^%^2F^%^2Flocalhost^%^3A3000^%^2F^&state=b833a686-5a2a-4b35-8f2f-7fbe1eee14ef^&response_mode=fragment^&response_type=code^&scope=openid^&nonce=b81b66a9-b449-4028-b52e-f4037b3973d5^&code_challenge=5825AlDas7DFVbDSqyJ5w2H-dtrp2nUp2FcFZaNHktw^&code_challenge_method=S256" ^
  -H "accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7" ^
  -H "cookie: 
  AUTH_SESSION_ID=02654493-109e-4112-a995-4a04cb3354c3.keycloak-staging-0; 
  KC_RESTART=eyJhbGci...

  curl "https://login-staging.example.org/auth/realms/MyRealm/protocol/openid-connect/token" ^
  -H "authority: login-staging.example.org" ^
  -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" ^
  -H "content-type: application/x-www-form-urlencoded" ^
  -H "accept: */*" ^
  -H "origin: http://localhost:3000" ^
  -H "sec-fetch-site: cross-site" ^
  -H "sec-fetch-mode: cors" ^
  -H "sec-fetch-dest: empty" ^
  -H "referer: http://localhost:3000/" ^
  -H "accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7" ^
  --data-raw "code=c18dfe41-b2e1-4531-a592-57f5c80f93d2.02654493-109e-4112-a995-4a04cb3354c3.e4cd3b3c-cc93-4202-a6fe-b6f60d4e27a3^&grant_type=authorization_code^&client_id=saas-client^&redirect_uri=http^%^3A^%^2F^%^2Flocalhost^%^3A3000^%^2F^&code_verifier=3Pg7CwcO8riAgjCKdTIYnjwhNGXXHPT1Xd0zBvkCcgxu6xFaSiezsr3KNJHWRPS1HG0p4fy9iuxSeFXzUb0iCwOrmGfenBYO" ^

  curl "https://login-staging.example.org/auth/realms/MyRealm/protocol/openid-connect/userinfo" ^
  -H "authority: login-staging.example.org" ^
  -H "accept: application/json" ^
  -H "authorization: bearer eyJhbGci...
  -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" ^
  -H "origin: http://localhost:3000" ^
  -H "sec-fetch-site: cross-site" ^
  -H "sec-fetch-mode: cors" ^
  -H "sec-fetch-dest: empty" ^
  -H "referer: http://localhost:3000/" ^
  -H "accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7" ^

I am thankful for any hints.

[brockallen]

Did you ever find out what the issue was?

[schwichti]

Unfortunately no. Probably, it might be a bug in keycloak server: https://issues.redhat.com/browse/KEYCLOAK-15828

[brockallen]

Ok, I will close then. If you find it's a bug in oidc-client, then please re-open. Thx