Open duckboy81 opened 1 year ago
Off the top, one counter argument to my PR could be that where a client has Backchannel logout session required
enabled, my implementation would essentially go against this. See option 2 in my PR for a different, more costly approach.
I'm not sure if we have considered how to handle the Backchannel logout session required
when logging out all user sessions. For me, it makes sense to avoid sending multiple logout requests to a client when there are multiple user sessions. We can send a single one without sid
even though you have the Backchannel logout session required
enabled.
Your PR is not yet preventing multiple logout requests to the same client. We probably want to avoid using a user session note but just set a session attribute or change how we call those methods when logging out all sessions.
We have the same issue and are in favor of the solution described in the OpenID spec. "A Logout Token MUST contain either a sub or a sid Claim, and MAY contain both. If a sid Claim is not present, the intent is that all sessions at the RP for the End-User identified by the iss and sub Claims be logged out."
Is there a plan for when the issue will be resolved?
I am also having the same issue. When the user updates the password, he can choose the option to sign out from other devices. In that case relying party (RP) has to remove all the sessions except the newly created one (newly created when changing the password).
Therefore I think it is better to include all the removed session ids as an array in the logout token rather than sending a token without session ids.
Before reporting an issue
Area
authentication
Describe the bug
When a client enables
Backchannel logout session required
and a user is logged out of all sessions via the logout endpoint (/admin/realms/{realm}/users/{user_id}/logout
), the client is not notified to end ALL sessions, just the first session keycloak reaches.There is no difference between the request sent by Keycloak to a client for A) a single session logout or B) an entire user logout (i.e. logout all sessions)
PS: The reverse is true if
Backchannel logout session required
is NOT enabled. The logout token sent to a client looks like a request to logout every session although an admin may only want to logout of a particular session.Version
22.0.1
Expected behavior
The expected behavior can be one of two options:
A client received a logout token
sid
claim removedKeycloak sends a logout request for each session, even if it means sending more than one request per client
Sample JWT for option 1
...associated payload
Actual behavior
Keycloak only sends one logout request per client, regardless of the number of active sessions a client may have for the user. The token in this request regretfully includes the
sid
claim, telling the client to only logout that particular session (and not all the user's sessions as intended).Example logout token (where user has 2 active sessions in this client)
...associated payload
How to Reproduce?
Client Setup:
Steps:
Result: Observed request sent to client is to logout a specific session, not all sessions.
Anything else?
Section 2.4. Logout Token https://openid.net/specs/openid-connect-backchannel-1_0.html