Spring security - logout from Keycloak not propagated

I’m setting up a Spring MVC-application to use Keycloak, with the Spring security adapter. I’m noticing some strangeness when it comes to logging out. I have managed to achieve single logout when logging out from the application, but when I log out of Keycloak my session in the application remains active.

I have tried setting admin url in the Keycloak client, without effect. What worries me most is this log message, that appears when the application tries to refresh the access token:

ERROR 2020-05-30 10:04:10,649 Class=keycloak.adapters.RefreshableKeycloakSecurityContext, Message=“Refresh token failure status: 400 {“error”:“invalid_grant”,“error_description”:“Session not active”}”

Even if this message appears, the session with the application is still active. I would expect that an inactive session with the IDP would lead to logout of the application. Anyone have an idea of why it doesn’t?

I have checked the code, and the method doing the login in RefreshableKeycloakSecurityContext returns a boolean (false when the token can’t be refreshed). This return value is ignored in the methods that invoke it.

Update: Seems my issues with admin url was due to Keycloak running in docker, and thus admin url containing localhost didn’t work. changed it to host.docker.internal, and now the invocation reaches my webapp. But, I get a NPE due to KeycloakPreAuthActionsFilter.userSessionManagement being null.

Update 2: Managed to resolve the NPE. I initially followed the guide for securing apps with Spring security, but there seems to be a missing piece there. My xml configuration of KeycloakPreAuthActionsFilter had to be changed to:

<bean id="userSessionManagement" class="org.keycloak.adapters.springsecurity.management.HttpSessionManager" />
<bean id="keycloakPreAuthActionsFilter"
    <constructor-arg ref="userSessionManagement" />

The bean for HttpSessionManager and the injection in KeycloakPreAuthActionsFilter was missing from the guide.

That being said, I’m still not all that comfortable with this solution. If the invocation from Keycloak to the application upon logout should for some reason fail, the user will remain logged in even when the application needs to refresh the access-token.

In combination with issues propagating back channel logout to the correct instance when having multiple instances, this becomes quite a problem.