Admin URL not called when user logs out?

I’m trying to implement “instant” logout in all applications, if a user logs out in one application. For some reason the Admin URL is not called after a logout.

Admin URL configuration documentation says:

  • User sends logout request from one application
  • The application sends logout request to Keycloak
  • The Keycloak server invalidates the user session
  • The Keycloak server then sends a backchannel request to application with an admin url that are associated with the session
  • When an application receives the logout request it invalidates the corresponding HTTP session

But if I log in to multiple applications in the same browser session (utilizing SSO) and logout from one of them using a URL like:

http//localhost:8180/auth/realms/my-realm/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Foauth2%2FlogoutCB

then the Admin URL does not get any traffic for any of the clients that have an Admin URL.

But if I go to the Keycloak GUI under the realm > Sessions > Revocation and click on Push I see a POST to /k_push_not_before for every registered Admin URL, so I think the Admin URL is configured correctly.

Can anybody see what I’m doing wrong?

3 Likes

I am facing the exact same issue @pmorch mentionned (using KC 8.0.1). Logout does not trigger any call to the Admin URL configured, but Revocation does. Any help would be appreciated.

Thanks for answering @jtheoof!

Would be great to hear if it has ever worked for anybody else.
If it works for you, Dear Reader, which version are you using?

Peter

Also, how is it supposed to work? What is a minimal test case?

Currently, the way I test is is:

  • I log in to multiple applications in the same browser session (utilizing SSO) using a separate client_id for each
  • Logout from one of them
  • Expect the AdminURL to be called for the other clients
    • Actually observe that the AdminURL does not get called for any clients → FAIL

First, can anybody question whether this is a valid test case?

Would it be sufficient to test it by logging in with a single client_id? Is the AdminURL code supposed to be smart enough not to call the AdminURL for the client that initiated the logout? I’m guessing Keycloak can’t really be that smart, since redirect_uri could be the same for multiple clients.

Again, being able to re-create a scenario where it works, even if it is on an older version, would help tremendously.

In my opinion, the AdminURL should be called no matter what client triggered the logout. If the purpose is to have a Single Sign Out experience, all clients should behave the same and KC should be consistent in that matter. I’ll see if I can find the expected behavior by looking at the KC code.

Perhaps there is a scenario where the Admin URL is called after logout: Relatively recent [KEYCLOAK-13996] spring-boot with redis: session not found in admin url callback (k_logout) describes a bug where the AdminURL is called for logout, albeit when one logs out from the keycloak account sessions page http://localhost:8180/auth/realms/demo/account/sessions and logout all sessions. The bug is about some bug in Java Spring vs. Keycloak. This merits further investigation, but it likely won’t be by me for the next couple of days…

There doesn’t seem to be any other bugs associated with this.

So yes, $adminURL/k_logout is POST-ed to when logout is initiated from the management console, but is not POST-ed to when a browser logs out by redirecting to:

http//localhost:8180/auth/realms/my-realm/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Foauth2%2FlogoutCB

:frowning: This is heartbreaking. We can’t ensure the user is instantly logged out from all clients if this doesn’t work…

1 Like

Hi @pmorch, after more investigation, I opened: https://issues.redhat.com/browse/KEYCLOAK-15234 because I think there is an issue with KC. The ticket is more detailed with my investigation, feel free to add to it with more details if you want.

1 Like

THIS

@jtheof: I’d give you 1E100 thumbs up if I could. I am SO grateful!

So it only worked when using one of KC’s own adapters… Nasty!

Hi Peter, how are you? I wonder if you can help me out.
When a user is logged out or a session has been logged out using KC console (Manager -> Users -> userabc -> Sessions -> logout || logout all sessions) a request to a given API should be requested this task was asked to me.

I already added in my client adminUrl the local API ip:


which is: http://192.168.1.6:3666

I did the same as you said above: hit revocation push button, i also test the Sessions -> logout all button.

What I need?
In a nutshell, when i decide to logout a user using KC console, i need to my api blacklist(saving the data) all the tokens related to this user’s sessions.

Is this posible to achive right now with KC console?

Thanks a lot

Hi,

I’m not sure what you mean. Is 192.168… the address of your app? How does this even work with that weird “Valid Redirect URIs”? What did you test and what was the outcome of these tests. Please be more specific…

Cheers,

Thanks for answering…

yes, http://192.168.1.6:3666 is my API url, im not trying to logout though any client application, when I logout using KC console from the users sessions view I need KC send a logout request to my API (that’s why im using that IP - my local api).
Something like
POST /k_userlogout

and then in the request body you could have the session data (userid, sessionid, dates, etc).


This is the view where I think should kill a specific user.

Do you think this is possible to do?

Thanks

12.0.2 already supports back-channel logout url config in kc console. thank god, we finally can forget the admin URL