App oidc/logout

Hi there,

I have KeyCloak operating as an identity provider for a Hashicorp Vault instance via OIDC.

My concern lies with logging users out.

  • When a user is logged out via the KeyCloak admin console this state doesn’t appear to be pushed to Vault.
  • When a user logs out of Vault, the session in KeyCloak isn’t updated, i.e. terminated.  Once logged out via the application, a user is able to ‘authenticate’ just by clicking the ‘sign in’ button, without an identity/password challenge.
  • Should a user logging out of Vault, terminate all user sessions in KeyCloak or just that of the Vault application?  Is this something that can be configured via a policy?

On the first point, when an Admin terminates a user’s session, the expectation is probably to prevent that user from continuing to perform actions which may be detrimental.

On the second point, a user logging out of the application there is an expectation that there will be a need to re-authenticate to regain access.  This remains true until either the KeyCloak session times out or an Admin terminates the session.
This means that if a bad actor were to gain access to a user’s workstation where the user had been working in Vault and within the life time of the KeyCloak session.  Then, this bad actor could initiate a new session in Vault, this new session would have the default lifetime assigned to the Vault users.  All without a password challenge and the original user maybe not being aware of this possibility.

While Hashicorp Vault is the application that I’m working with, I imagine that these concepts apply equally to other apps.  I haven’t seen any explicit configuration or instructions about logging out or terminating session and this applies equally to KeyCloak and Vault.

Please let me know your thoughts and guidance.

Thank you.