Logout function doesn't allow logging back in with another account

dleard commented 11 months ago

Describe the Bug:

Logging in to the app with one account, logging out and then logging back in with another account throws an error from keycloak saying that you are already signed in.

This will be a problem for all contractors that report on behalf of multiple operators as they need to sign in/out of different accounts depending on who they are reporting for. There are a couple workarounds, though they aren't a great look if we have to tell our users who have multiple accounts to either:

Use a private browser and close/reopen the browser between each session
Manually remove the site cookies between each session

Steps to reproduce the behaviour:

Log in with one bceid account
Log out
Log in with a different bceid account
See error message from keycloak

Investigations

Validating that current federated authentication works:

Log in with one bceid account
Verify Keycloak login status: https://dev.loginproxy.gov.bc.ca/auth/realms/standard/account/#/
Log out
Verify Keycloak logout status: https://dev.loginproxy.gov.bc.ca/auth/realms/standard/account/#/

Troubleshooting

Log in with a different bceid account
See error message from keycloak
```
An unexpected error has occurred or you are already logged into IDIR or BCeID and you need to logout or use a fresh browser to continue. Visit here to learn more.
```
Following the link in the error message https://github.com/bcgov/sso-keycloak/wiki/Our-Partners-and-Useful-Information#common-login-errors

IDIR and BCeID in the same browser
As we partner with the BC Gov Identity Partners of IDIR and BCeID please note in the same browser, you cannot have one tab logged in with IDIR and another with BCeID.

Please use a private browser by either using incognito or clearing your cache.

Other issues
Please ensure you have tested with an incognito browser as mentioned above. If it is still an issue, reachout to use on rocketchat

Workarounds,

Use a private browser and close/reopen the browser between each session SH: works if there is only 1 anonymous browser open
Manually remove the site cookies between each session SH: @
- Delete SMSESSION
- Reset SMFED_OLD_SESSION to ""

shon-button commented 11 months ago

NOTE: The current logout functionality does include a federated logout (see: client/app/api/auth/logout/route.ts) as mentioned in the stackoverflow link

DL: " I did some investigation on this and I think this stackoverflow is the right place to start: https://stackoverflow.com/questions/71872587/logout-from-next-auth-with-keycloak-provider-not-works "

Further investigation is required....

Potentially, it may be a keycloak setting: oidc.logoutMechanism=rpInitiated (which is not the default)

https://forum.xwiki.org/t/how-to-get-oidc-logout-working-with-keycloak/11679/6

Dianadec commented 11 months ago

@dleard Saving this card for when you are back:). Thanks! cc @shon-button

dleard commented 10 months ago

@shon-button @Dianadec This sounds like it's actually a siteminder issue. I think the solution here on the bcgov stack overflow may solve it.

dleard commented 10 months ago

The user appears to not be logged out properly either. Click log out, click log-in, user is logged in without having to provide credentials

andrea-williams commented 10 months ago

The user appears to not be logged out properly either. Click log out, click log-in, user is logged in without having to provide credentials

@dleard was that in our dev environment or in your local? I haven't made any changes to the code and when I log out on my local, I'm asked for my IDIR credentials before logging back in again

dleard commented 10 months ago

Interesting, I'll confirm but I feel like I've experienced it both locally and in the dev environment

shon-button commented 10 months ago

My experience is the same as @andrea-williams, I cannot reproduce your issue "when I log out on my local, I'm asked for my IDIR credentials before logging back in again"... @dleard if this happens on your local can you capture some troubleshooting notes? thanks.

shon-button commented 10 months ago

Troubleshooting issue "state mismatch error."

Troubleshooting export const authOptions: NextAuthOptions = { debug: true,

Reproduction steps

Opening authentication in two different tabs result on state mismatch error...

Logs [next-auth][debug][CREATE_STATE] { value: 'c0n7b8kAoQaUCnLsN5FbsAc9LDptAM4KnuNMX1mhD68', maxAge: 900 } [next-auth][debug][CREATE_PKCECODEVERIFIER] { value: 'RDoURoImMbxZnvHl5rcOFIaQRDOLnK6_zwjX2OJizPY', maxAge: 900 } [next-auth][debug][GET_AUTHORIZATION_URL] { url: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/auth?client_id=obps-4953&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fkeycloak&state=c0n7b8kAoQaUCnLsN5FbsAc9LDptAM4KnuNMX1mhD68&code_challenge=7rr58UFcfnhLBbT7fC9IO_EbW4dGWIjn_dn-rSdQRAc&code_challenge_method=S256', cookies: [ { name: 'next-auth.state', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..WGFy01hChVBvgkl6.jZJoswJU8z6TVq6B_WhxIDyYKYrKthwtaICkqdYM6eBYl2Z_Zj9cPko8LIb_srhsUXis2VHMQkTOJEG4b-mIbcMkMVmw-KW4QhLdMBuGDkFSwQ-FxF7cxNmvRrLJWEFpxhblLiir9gFJZypIq3cXPSwwTmNN4WiFU30zegxpgmgN7G_B_WQ.cwpX-OXl31l5UrQ6CtYvyA', options: [Object] }, { name: 'next-auth.pkce.code_verifier', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..mKtlh0V4FwV_J_NH.aw2s0JgJICThtvVxFTtnJY7Vl84A-TY15MPUshTlwMSkXfiMI2IewWviqU9_I59o_gajftGrhoSNlsDZnNzpHGQaAIEpKvXjPy1StGmXvqCdS4CJZYieTStitVRTcCrFWvh_6mktnlHmPev881UAt3roSJrzJ3oL9jqHXQ5REz_mkieUY.vgFOGtPR69qBdAotRp3aAQ', options: [Object] } ], provider: { id: 'keycloak', name: 'Keycloak', wellKnown: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration', type: 'oauth', authorization: { params: [Object] }, checks: [ 'pkce', 'state' ], idToken: true, profile: [Function: profile], style: { logo: '/keycloak.svg', bg: '#fff', text: '#000' }, clientId: 'obps-4953', clientSecret: 'emAJ9JRy4P3Fizg3oswqm5YVnbRQKVPv', issuer: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard', signinUrl: 'http://localhost:3000/api/auth/signin/keycloak', callbackUrl: 'http://localhost:3000/api/auth/callback/keycloak' } } [next-auth][debug][CREATE_STATE] { value: 'eHJzmk_B5tsS8VWpkMJUTPvfBV9XCzoByZy6DGEfQxQ', maxAge: 900 } [next-auth][debug][CREATE_STATE] { value: 'Aulq_iyikxMvn7dKc0nX_KSkwZdeBH8MTqx4bLP0Ib8', maxAge: 900 } [next-auth][debug][CREATE_PKCECODEVERIFIER] { value: 'kn9CFRXDiuMpiSC0V_G2u8DuWLLEiYUcjfJC_Qu8n1o', maxAge: 900 } [next-auth][debug][CREATE_PKCECODEVERIFIER] { value: 'Ds74Ep4eku976BR-otIhW2tSwRN4dAQVxQDrV_KLj1c', maxAge: 900 } [next-auth][debug][GET_AUTHORIZATION_URL] { url: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/auth?client_id=obps-4953&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fkeycloak&state=eHJzmk_B5tsS8VWpkMJUTPvfBV9XCzoByZy6DGEfQxQ&code_challenge=fYUed5VoYKlRhVq1NLztUIX_gOHQSz-tFRrdwAxFjwo&code_challenge_method=S256', cookies: [ { name: 'next-auth.state', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..iBtK7e-DY2-yBqRM.tOE8SVGNnWalmm4VGP6B9X7H91G-lUJ8CCAtpyS9DDsobQ3FLfxESVqtlQ79o5DCthSlzAlTWtL0m3MmVg0DWJMJunG7xgdHOZq4cn9rN-X5nsyjDlD1GIfgxFqIdg8FiaGK7zf6uwn9x7pDWD__Tn41NYFSmv-p03BmAxTIBXizuN4Lmmc.uaZvEboacjWunA_6d0Mjfw', options: [Object] }, { name: 'next-auth.pkce.code_verifier', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..rMp22kZ8XMvq8cPH.Jwb9y-lN7LzAtoASWZd_y0XLzJKwxR5WJyCxR7swNgaxiYgsLL6yFLn6Mq1y3D87evo9uxZ5ymuD7WGEhiUMSkJQOMHmTtxaLNv0mvK6TQUchNuhpd8b8-T_DyCOcx7SLQNVVTne5quTejJbwcOgtT3DP6wAejZfN_vIgVvWmFOETKgbQhk.XBILtKNSWBqr8BB1uRy6uQ', options: [Object] } ], provider: { id: 'keycloak', name: 'Keycloak', wellKnown: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration', type: 'oauth', authorization: { params: [Object] }, checks: [ 'pkce', 'state' ], idToken: true, profile: [Function: profile], style: { logo: '/keycloak.svg', bg: '#fff', text: '#000' }, clientId: 'obps-4953', clientSecret: 'emAJ9JRy4P3Fizg3oswqm5YVnbRQKVPv', issuer: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard', signinUrl: 'http://localhost:3000/api/auth/signin/keycloak', callbackUrl: 'http://localhost:3000/api/auth/callback/keycloak' } } [next-auth][debug][GET_AUTHORIZATION_URL] { url: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/auth?client_id=obps-4953&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fkeycloak&state=Aulq_iyikxMvn7dKc0nX_KSkwZdeBH8MTqx4bLP0Ib8&code_challenge=-zqj4wJ6exMcLKqqSxCAN_MPLNBBEFaB-5rRISaRdA0&code_challenge_method=S256', cookies: [ { name: 'next-auth.state', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..dRRu2vctR38BGUIj.X5E1Zd8dnMWjj9060m2heIIxhgU-7vXJ8yseVqtPgz1EWV6m8zo7gZ4BDAWj-BX6RoJ3YinVfDPDUd4EXb4m7ehAAywpimA3QKEryw9ovERzbubphhx75Bhwkni1ZAKVedZ0k1Jdfh7FFGXxpxwikTSX6sjvjezbsVwnTkTjrCbbXASF_8M.ZQG650qgnU9uIcaG7e_Zxw', options: [Object] }, { name: 'next-auth.pkce.code_verifier', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..mPQVEn3_gk0NG4ou.OCHQuV5NsvaG_YH5x4T_lsOzWPYphJnUybR7E3FfRL5Aa6RrKANt6VJ6EKwr77LMo-Y5fKP1TEN_SOc_bizSY887eOPM6euAwiFX6bBK5iRXAjLy3uZc9zYrqJjQmIZfD1McIqgzVhyWFBCfYu1hIerSyTaUwZs5Jvf-sx30TQzJq2yehgY.qlzM7Ejg94dCOg2ZSOD4cQ', options: [Object] } ], provider: { id: 'keycloak', name: 'Keycloak', wellKnown: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration', type: 'oauth', authorization: { params: [Object] }, checks: [ 'pkce', 'state' ], idToken: true, profile: [Function: profile], style: { logo: '/keycloak.svg', bg: '#fff', text: '#000' }, clientId: 'obps-4953', clientSecret: 'emAJ9JRy4P3Fizg3oswqm5YVnbRQKVPv', issuer: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard', signinUrl: 'http://localhost:3000/api/auth/signin/keycloak', callbackUrl: 'http://localhost:3000/api/auth/callback/keycloak' } } [next-auth][debug][CREATE_STATE] { value: 'Mxk7U3jZ5XVvnJG7i3URxY_vYwNbvE_Cw_npoAdAY20', maxAge: 900 } [next-auth][debug][CREATE_STATE] { value: 'apg-us2wtBhXrmFke-iXDor2F-Kpm19P9yIQX4jiQek', maxAge: 900 } [next-auth][debug][CREATE_PKCECODEVERIFIER] { value: 'XCMJ2VjV-gi0hUI1674_eV2fBoqvWMNyky82y2YwZOg', maxAge: 900 } [next-auth][debug][CREATE_PKCECODEVERIFIER] { value: 'lZcBDgzVOrbCSeU_PgvZMOPg35ccgTZA_xW-7GpdRf0', maxAge: 900 } [next-auth][debug][GET_AUTHORIZATION_URL] { url: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/auth?client_id=obps-4953&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fkeycloak&state=Mxk7U3jZ5XVvnJG7i3URxY_vYwNbvE_Cw_npoAdAY20&code_challenge=Dxy2btZF780eGrtL2liICLePgmc6V2lhic0VPRuhimk&code_challenge_method=S256', cookies: [ { name: 'next-auth.state', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..KuSSSh_BGMwZeiPU.UOrGzHCC60B0xfLpy7iz3e8UWSUFon-nFe2BVLyk8K3dBCLgusCeREFJMViDvBJGeyymw09sKnpPl_LBt2iIEpQH5ZMhmSOzhXd6OktHuT5zCWGd9FOl9T0GQ_s9ZOQnnNY4IewIn7bj9TvoPwlww7cR9utMV4AsyPqilsUQiwNzCR3dsCE.5SGyO6F88yffYn3YUW7qpQ', options: [Object] }, { name: 'next-auth.pkce.code_verifier', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..u1GreKOm-7VJ5viw.Fgc_dDJr-2_fkSOpUss1v9UWXUs_YCnxhtZQBBpH4uyoHnH9pX1z6VevQp-MwvmRRcQ0z3H5hs_4WnWKmkQfNI0DyImMNgc-umM5plBfo-keB6ctrW9xofTzWf4h-l4__iL4RmW-p6lVUjbQT6TA1peAg97J257VQOiIrBfdC61CnLtQbyU.49QT06PGLNwuQN9BKeWtpQ', options: [Object] } ], provider: { id: 'keycloak', name: 'Keycloak', wellKnown: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration', type: 'oauth', authorization: { params: [Object] }, checks: [ 'pkce', 'state' ], idToken: true, profile: [Function: profile], style: { logo: '/keycloak.svg', bg: '#fff', text: '#000' }, clientId: 'obps-4953', clientSecret: 'emAJ9JRy4P3Fizg3oswqm5YVnbRQKVPv', issuer: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard', signinUrl: 'http://localhost:3000/api/auth/signin/keycloak', callbackUrl: 'http://localhost:3000/api/auth/callback/keycloak' } } [next-auth][debug][GET_AUTHORIZATION_URL] { url: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/auth?client_id=obps-4953&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fkeycloak&state=apg-us2wtBhXrmFke-iXDor2F-Kpm19P9yIQX4jiQek&code_challenge=JE_1-4SMVYM-1w-DgWnX52Ro7r_LyaIg26tFtFeSUlc&code_challenge_method=S256', cookies: [ { name: 'next-auth.state', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..0JseO7E6lASIQAi8.tepOd_-i2_EQKyab_ff4umV89W3dMP0YmAo9vunT4BpSnKpu5rFeXrRRUqwkw7dlYM4cz5TvQrKg8-PG4HUbIw_IjEVGmB7Hs9AF1gLfRzhmH_R6iXBobXvSJP0Eynqp3VbfHDHA1dGWMBQPsdjeqLU_sCYl6qHmLlH-F2wdDaY-ozXIiIA.uMyivHG1vjH622cIc7Ws4g', options: [Object] }, { name: 'next-auth.pkce.code_verifier', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..2FmtOyhCZA4vWiin.4gT-9zZlPPORR2LJQO4RjeNLiSVRGm6-HMVFo_Opt2Rn2Ye45D4Sx1Rc3bBujcY9yqGkYdFSLXQ1BeMyaXDXSL5MUr0gu0SECtZr_2rf3NvWjkRzRwMX-M1Jz-3kJUF7khppw6gYjJYh7CLANyPrzq4fJ4jmF74_DR9j7Z3oMEnek--Xcro.cWPw55XWmeJ7rmdQZw2QvQ', options: [Object] } ], provider: { id: 'keycloak', name: 'Keycloak', wellKnown: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration', type: 'oauth', authorization: { params: [Object] }, checks: [ 'pkce', 'state' ], idToken: true, profile: [Function: profile], style: { logo: '/keycloak.svg', bg: '#fff', text: '#000' }, clientId: 'obps-4953', clientSecret: 'emAJ9JRy4P3Fizg3oswqm5YVnbRQKVPv', issuer: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard', signinUrl: 'http://localhost:3000/api/auth/signin/keycloak', callbackUrl: 'http://localhost:3000/api/auth/callback/keycloak' } } [next-auth][debug][CREATE_STATE] { value: 'NG0N5tjFixROzBV2MkUp0OcAq0QPKdSGYbxaQ16Zo38', maxAge: 900 } [next-auth][debug][CREATE_PKCECODEVERIFIER] { value: 'CS647oU4nHWIBBh_pcJsB22eaoi8DJlYhi9TkZMTllM', maxAge: 900 } [next-auth][debug][GET_AUTHORIZATION_URL] { url: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/auth?client_id=obps-4953&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fkeycloak&state=NG0N5tjFixROzBV2MkUp0OcAq0QPKdSGYbxaQ16Zo38&code_challenge=oqVoedPCzHKcxwxYW7GFtFB1jKB9YM3Hg0q8SvW344k&code_challenge_method=S256', cookies: [ { name: 'next-auth.state', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..ecD-fxrJU70Fr84a.xTCrSApQpoiB3is4TqIWHw1LHlXaDNBNGJfi-nwMXoXrb2wz7nLmUHdZChKlu6bZTU6CiFzaPyBkyVgXoabCmHbJRHGIuLV3wbTu2OZ2vniGjWuC63KWuEiuD0h0YKiqjqXsUDnOdgwfBMX3T1mXFN3cuak6kDsBDbo46CuPY5Tko5lzk_0.kha2mxL1ml9C93nacjUDMg', options: [Object] }, { name: 'next-auth.pkce.code_verifier', value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..BNKBe9y0ucB0uqOg.0jY8fpbh3xD4_2jHTs5BkwHs-FsKFvwrvN2E4uSj8xc5J3zPIIw3InVuLuwpH4Qz59F-H_v4pClorC0ZiEAq4UJUCEMspnHiczQ9LJ2j1zXANCmm_taK72Kq6gZy61dLkVeDPj1G4mKKnnZbH7zAecGSeSLCSdfrpJvBLqZE8sC9sGH12ec.9CoMypyYB-6B7prHwGEZ0w', options: [Object] } ], provider: { id: 'keycloak', name: 'Keycloak', wellKnown: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration', type: 'oauth', authorization: { params: [Object] }, checks: [ 'pkce', 'state' ], idToken: true, profile: [Function: profile], style: { logo: '/keycloak.svg', bg: '#fff', text: '#000' }, clientId: 'obps-4953', clientSecret: 'emAJ9JRy4P3Fizg3oswqm5YVnbRQKVPv', issuer: 'https://dev.loginproxy.gov.bc.ca/auth/realms/standard', signinUrl: 'http://localhost:3000/api/auth/signin/keycloak', callbackUrl: 'http://localhost:3000/api/auth/callback/keycloak' } } [next-auth][error][OAUTH_CALLBACK_ERROR] https://next-auth.js.org/errors#oauth_callback_error state mismatch, expected Aulq_iyikxMvn7dKc0nX_KSkwZdeBH8MTqx4bLP0Ib8, got: c0n7b8kAoQaUCnLsN5FbsAc9LDptAM4KnuNMX1mhD68 { error: RPError: state mismatch, expected Aulq_iyikxMvn7dKc0nX_KSkwZdeBH8MTqx4bLP0Ib8, got: c0n7b8kAoQaUCnLsN5FbsAc9LDptAM4KnuNMX1mhD68 at Client.callback (webpack-internal:///(rsc)/./node_modules/openid-client/lib/client.js:344:19) at oAuthCallback (webpack-internal:///(rsc)/./node_modules/next-auth/core/lib/oauth/callback.js:118:35) at async Object.callback (webpack-internal:///(rsc)/./node_modules/next-auth/core/routes/callback.js:18:79) at async AuthHandler (webpack-internal:///(rsc)/./node_modules/next-auth/core/index.js:202:38) at async NextAuthRouteHandler (webpack-internal:///(rsc)/./node_modules/next-auth/next/index.js:50:30) at async NextAuth._args$ (webpack-internal:///(rsc)/./node_modules/next-auth/next/index.js:85:24) at async /home/shon/Workspace/CAS/cas-registration/client/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:6:62609 { name: 'OAuthCallbackError', code: undefined }, providerId: 'keycloak', message: 'state mismatch, expected Aulq_iyikxMvn7dKc0nX_KSkwZdeBH8MTqx4bLP0Ib8, got: c0n7b8kAoQaUCnLsN5FbsAc9LDptAM4KnuNMX1mhD68' }

References next-auth https://github.com/nextauthjs/next-auth/issues/7894

Root Cause Open new tab with Keycloak STATE invalidates the Keycloak STATE on the first tab

Possible Resolution Open Keycloak urls (i.e Logout) within the initial tab so that Keycloak clears the cookies to allow re-signin with multiple logind within the initial tab OR within new tabs created after logout

shon-button commented 10 months ago

https://cas-reg-frontend-dev.apps.silver.devops.gov.bc.ca/

shon-button commented 10 months ago

localhost

hannavovk commented 10 months ago

Amazing teamwork squashing this nasty one!

bcgov / cas-registration

Logout function doesn't allow logging back in with another account #413

Investigations