Keycloak broker does not send a logout request to external IdP to clear the User's session - Stack Overflow

admin管理员组

文章数量:1414871

I am testing a scenario where I have my Keycloak run as a broker (KC1) on a server where my application runs. I've configured another Keycloak server as an external IdP(KC2) on a different server. Both Keycloaks are of version 26.0.1. Communication is done via SSL, with keystores an truststores on each side. KC1 runs with --features=transient-users. For this feature to work, I also modified the default first broker login flow to disable the Review Profile, since I am not interested in creating a copy of the users that login from KC2. Also, in my IdP definition of KC2, I also have Do not store users: ON. All this works as expected.

The general flow is this:

A User is accessing my application's URL: https://myserver1:45002/myApp

myApp has a SpringBoot back-end with Angular front-end. The application.yml file contains my KC1 realm details: issuer-uri: https://myserver1:45003/realms/myRealm scope: openid client-id: myClientApp

My application will redirect the user from https://myserver1:45002/myApp to https://myserver1:45003/realms/myRealm/protocol/openid-connect/auth... login page.

Now, I am in the KC1 login in page. I can choose to enter some credentials to use with the default KC1 or access my external IdP for login. Using my KC1 works as expected. Upon successful login, I am redirected to my application, KC1 will create a session that I can see in the admin console (and authorization and refresh tokens in the browser), and when I log out, the authorization token and refresh tokens are revoked, and my session from KC1 is removed. All is working as intended. When I click on using my KC2 external IdP, I am redirected, as expected to: https://myserver2:45003/realms/myRealm/protocol/openid-connect/auth... Now, I am in the KC2 login page. I can enter credentials for users from KC2. After myServer2 authenticates the user, I am redirected back to KC1 and further to my application, as expected. I can see that KC1 generated the authentication and refresh token. I can see the new session for the transient user in KC1. I can also see the regular session of my user in my KC2 admin console. When I log out however, the transient session for this user in KC1 is removed, tokens are removed from browser, but the session for this user remains active in KC2. I also want to remove this session too, when logging out of my application.

I have used all possible backchannel configs available in my configurations below, but for some reason, when I log out, KC1 will not send a request to KC2 for logout. I checked both servers logs. I enabled TRACE level. When I log out, there is no activity on KC2. There are no errors in my browser console or in my application back-end.

myClientApp client from KC1 ->myRealm has the following configs:

Client ID: myClientApp

Root URL: https://myserver1:45002/myApp

Home URL: https://myserver1:45002/myApp

Valid redirect URIs: https://myserver1:45002/*

Valid post logout redirect URIs: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout

Web origins: https://myserver1:45002/

Admin URL: https://myserver1:45002/myApp

Authentication flow: Standard flow and Direct access grants

Logout settings: Front channel logout: OFF Backchannel logout URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout

Backchannel logout session required: ON

Backchannel logout revoke offline sessions: ON

My IdP definition for KC2 as external IdP, from KC1 Identity Providers:

Redirect URI: https://myserver1:45003/realms/myRealm/broker/KC2-IdP/endpoint

Alias and Display name has the same value: KC2-IdP

Authorization URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/auth

Token URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/token

Logout URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout

User Info URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/user-info

Issuer: https://myserver2:45003/realms/myRealm-myServer2/

Validate Signature: ON

USE JWKS URL: ON

JWKS URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/certs

Use PKCE: OFF

Client Authentication: Client secret sent as post

Client ID: KC2-IdP (this is the client name defined in my KC2 -> myRealm-myServer2 realm. It has the same name as the IdP definition of external KC2 from KC1 Identity Providers)

Client secret: ******* (the secret I copied and pasted, of the KC2-IdP client from KC2, myRealm-myServer2)

In Advanced settings toggle menu, I have put Backchannel logout to ON. The rest of the options are set to off.

Everything else is set to OFF, except Do not store users, which is ON.

Lastly, my KC2-IdP client from KC2 server, myRealm-myServer2 realm:

client ID: KC2-IdP

Root URL: blank

Home URL: blank

Valid redirect URIs: https://myserver1:45003/*

Valid post logout redirect URIs: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout

Web origins: *

Admin URL: blank

Client authentication: ON

Authentication flow: Standard flow and Direct access grants

Logout settings:

Front channel logout: OFF

Backchannel logout URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout

Backchannel logout session required: ON

Backchannel logout revoke offline sessions: ON

I've tried for days to understand what mistake I've made with this configurations, but everything I've tried, It never worked. Any help or Idea I can try is welcomed.

Thank you.

本文标签： Keycloak broker does not send a logout request to external IdP to clear the User39s sessionStack Overflow