Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13671

login-status-iframe returns unchanged after admin forcibly ends session

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Explained
    • 8.0.0
    • None
    • None
    • None
    • Hide
      • Create a new realm
      • Create a client for that realm
      • Create a user for that realm
      • Log that user in from your RP
      • Visit a page on the RP that has the RP iframe to the OP login-status-iframe endpoint
      • Observe the postMessage responses - they will be unchanged
      • Login to the admin console in another session
      • Select Sessions and then your client
      • Click Show Sessions
      • Select the user you you're logged in as in the RP
      • Click the Sessions tab
      • Click the Logout button for that user
      • Observe the response from postMessage will still be unchanged instead of changed

      You can similarly observe the expected response cycle by having the user agent (in another window) visit their end session url and the postMessage response properly changes to changed.

      Show
      Create a new realm Create a client for that realm Create a user for that realm Log that user in from your RP Visit a page on the RP that has the RP iframe to the OP login-status-iframe endpoint Observe the postMessage responses - they will be unchanged Login to the admin console in another session Select Sessions and then your client Click Show Sessions Select the user you you're logged in as in the RP Click the Sessions tab Click the Logout button for that user Observe the response from postMessage will still be unchanged instead of changed You can similarly observe the expected response cycle by having the user agent (in another window) visit their end session url and the postMessage response properly changes to changed .
    • NEW
    • NEW

    Description

      After hooking up an iframe in our RP to the login-status-iframe endpoint of a realm, I've observed the following:

      • If the keycloak session expires naturally, the iframe postMessage returns changed
      • If the user agent visits the realms end_session_endpoint, the iframe postMessage returns changed
      • If I forcible Logout a user via the admin console (Sessions -> Logout All or Logout the individual session), the iframe postMessage continues to return unchanged

      I would expect this to return changed just like what occurs when users' sessions are removed via the two other methods that work, unless I'm misunderstanding something and this is expected behavior? (I'm new to keycloak).

      Trace of clicking Logout for individual user in admin console

      18:44:46,823 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
      18:44:46,823 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
      18:44:46,823 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: master
      18:44:46,823 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,824 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-115) Found key: realm=master kid=f-2QeAp0wgmV0yJ1t0N3Mglao3iKLzlUzdK5ihz89C4 algorithm=RS256 use=SIG
      18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 06e484ad-32c7-400f-a5f1-d37acc548a85
      18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 06e484ad-32c7-400f-a5f1-d37acc548a85
      18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
      18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: security-admin-console
      18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: security-admin-console
      18:44:46,824 DEBUG [org.keycloak.services.resources.admin.AdminRoot] (default task-115) authenticated admin access for: admin
      18:44:46,824 DEBUG [org.keycloak.services.resources.Cors] (default task-115) Added CORS headers to response
      18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: org1
      18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
      18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: org1-realm
      18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: org1-realm
      18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: org1-realm
      18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) getClientRole cache hit: org1-realm.manage-users
      18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
      18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
      18:44:46,826 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Logging out: org1_user (dfc03fa8-c333-4092-a992-05ba67cf1b0f) offline: false
      18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: account
      18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: account
      18:44:46,826 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: ADD on dfc03fa8-c333-4092-a992-05ba67cf1b0f
      18:44:46,827 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
      18:44:46,827 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
      18:44:46,827 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: client1
      18:44:46,827 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
      18:44:46,827 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
      18:44:46,827 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) backchannel logout to: client1
      18:44:46,827 DEBUG [org.keycloak.services.managers.ResourceAdminManager] (default task-115) Cant logout {0}: no logged adapter sessions
      18:44:46,827 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
      18:44:46,828 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: client1
      18:44:46,828 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
      18:44:46,828 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
      18:44:46,828 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) All clients have been logged out for user org1_user in org1 realm, session dfc03fa8-c333-4092-a992-05ba67cf1b0f
      18:44:46,828 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REMOVE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
      18:44:46,828 TRACE [org.keycloak.events] (default task-115) operationType=DELETE, realmId=master, clientId=9cd51452-c25f-4934-ac57-8d06fbffe1b3, userId=06e484ad-32c7-400f-a5f1-d37acc548a85, ipAddress=<redacted>, resourceType=USER_SESSION, resourcePath=sessions/dfc03fa8-c333-4092-a992-05ba67cf1b0f, requestUri=https://<redacted>/auth/admin/realms/org1/sessions/dfc03fa8-c333-4092-a992-05ba67cf1b0f, cookies=[_ga=GA1.2.1309218180.1583959463]
      18:44:46,828 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
      18:44:46,828 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
      18:44:46,916 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
      18:44:46,916 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
      18:44:46,916 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: master
      18:44:46,916 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,916 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-115) Found key: realm=master kid=f-2QeAp0wgmV0yJ1t0N3Mglao3iKLzlUzdK5ihz89C4 algorithm=RS256 use=SIG
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 06e484ad-32c7-400f-a5f1-d37acc548a85
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 06e484ad-32c7-400f-a5f1-d37acc548a85
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: security-admin-console
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: security-admin-console
      18:44:46,917 DEBUG [org.keycloak.services.resources.admin.AdminRoot] (default task-115) authenticated admin access for: admin
      18:44:46,917 TRACE [org.keycloak.services.resources.Cors] (default task-115) No origin header ignoring
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: org1
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
      18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
      18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: org1-realm
      18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: org1-realm
      18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: org1-realm
      18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) getClientRole cache hit: org1-realm.manage-users
      18:44:46,918 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
      18:44:46,918 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
      

      Trace of user agent visiting end_session_endpoint

      18:49:13,727 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
      18:49:13,727 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
      18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: org1
      18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
      18:49:13,728 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-115) Found key: realm=org1 kid=e0e89566-c57e-4ecf-befd-aadce1acd960 algorithm=HS256 use=SIG
      18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
      18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
      18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
      18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
      18:49:13,729 DEBUG [org.keycloak.protocol.oidc.endpoints.LogoutEndpoint] (default task-115) Initiating OIDC browser logout
      18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
      18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
      18:49:13,729 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Logging out: org1_user (e41615eb-c84c-4c67-89d5-3da3808a07cc)
      18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: account
      18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: account
      18:49:13,729 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the requests header
      18:49:13,729 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the cookies field
      18:49:13,729 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value e41615eb-c84c-4c67-89d5-3da3808a07cc.356bcff2edd1
      18:49:13,729 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: ADD on e41615eb-c84c-4c67-89d5-3da3808a07cc
      18:49:13,730 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Set AUTH_SESSION_ID cookie with value e41615eb-c84c-4c67-89d5-3da3808a07cc.356bcff2edd1
      18:49:13,730 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
      18:49:13,730 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
      18:49:13,730 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: client1
      18:49:13,730 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
      18:49:13,730 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
      18:49:13,730 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) backchannel logout to: client1
      18:49:13,730 DEBUG [org.keycloak.services.managers.ResourceAdminManager] (default task-115) Cant logout {0}: no logged adapter sessions
      18:49:13,730 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
      18:49:13,730 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: account
      18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: account
      18:49:13,731 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the requests header
      18:49:13,731 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the cookies field
      18:49:13,731 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value e41615eb-c84c-4c67-89d5-3da3808a07cc.356bcff2edd1
      18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: account
      18:49:13,731 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
      18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: client1
      18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
      18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
      18:49:13,731 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) All clients have been logged out for user org1_user in org1 realm, session e41615eb-c84c-4c67-89d5-3da3808a07cc
      18:49:13,731 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring identity cookie
      18:49:13,731 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_IDENTITY path: /auth/realms/org1/
      18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_SESSION path: /auth/realms/org1/
      18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_IDENTITY path: /auth/realms/org1
      18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_SESSION path: /auth/realms/org1
      18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring remember me cookie
      18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/org1/
      18:49:13,732 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
      18:49:13,732 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
      18:49:13,732 TRACE [org.keycloak.events] (default task-115) type=LOGOUT, realmId=org1, clientId=null, userId=4d39678a-c118-48b8-9aa3-d71bfcfbfe13, ipAddress=<redacted>, authSessionParentId=e41615eb-c84c-4c67-89d5-3da3808a07cc, authSessionTabId=i8pLWBaRsmU, requestUri=https://<redacted>/auth/realms/org1/protocol/openid-connect/logout, cookies=[KEYCLOAK_IDENTITY=<redacted>, KEYCLOAK_SESSION=org1/4d39678a-c118-48b8-9aa3-d71bfcfbfe13/e41615eb-c84c-4c67-89d5-3da3808a07cc, AUTH_SESSION_ID=e41615eb-c84c-4c67-89d5-3da3808a07cc.356bcff2edd1]
      18:49:13,732 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REMOVE on e41615eb-c84c-4c67-89d5-3da3808a07cc
      18:49:13,732 DEBUG [org.keycloak.protocol.oidc.endpoints.LogoutEndpoint] (default task-115) finishing OIDC browser logout
      18:49:13,732 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
      18:49:13,733 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
      18:49:14,561 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
      18:49:14,561 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
      18:49:14,561 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
      18:49:14,561 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
      18:49:14,561 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1205/0x000000084143f040
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            von1184 Geoff Von Allmen (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: