Hi there,
I have KeyCloak operating as an identity provider for a Hashicorp Vault instance via OIDC.
My concern lies with logging users out.
- When a user is logged out via the KeyCloak admin console this state doesn’t appear to be pushed to Vault.
- When a user logs out of Vault, the session in KeyCloak isn’t updated, i.e. terminated. Once logged out via the application, a user is able to ‘authenticate’ just by clicking the ‘sign in’ button, without an identity/password challenge.
- Should a user logging out of Vault, terminate all user sessions in KeyCloak or just that of the Vault application? Is this something that can be configured via a policy?
On the first point, when an Admin terminates a user’s session, the expectation is probably to prevent that user from continuing to perform actions which may be detrimental.
On the second point, a user logging out of the application there is an expectation that there will be a need to re-authenticate to regain access. This remains true until either the KeyCloak session times out or an Admin terminates the session.
This means that if a bad actor were to gain access to a user’s workstation where the user had been working in Vault and within the life time of the KeyCloak session. Then, this bad actor could initiate a new session in Vault, this new session would have the default lifetime assigned to the Vault users. All without a password challenge and the original user maybe not being aware of this possibility.
While Hashicorp Vault is the application that I’m working with, I imagine that these concepts apply equally to other apps. I haven’t seen any explicit configuration or instructions about logging out or terminating session and this applies equally to KeyCloak and Vault.
Please let me know your thoughts and guidance.
Thank you.
–
Stephen.