Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13671

login-status-iframe returns unchanged after admin forcibly ends session

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Explained
    • 8.0.0
    • None
    • None
    • None
    • Hide
      • Create a new realm
      • Create a client for that realm
      • Create a user for that realm
      • Log that user in from your RP
      • Visit a page on the RP that has the RP iframe to the OP login-status-iframe endpoint
      • Observe the postMessage responses - they will be unchanged
      • Login to the admin console in another session
      • Select Sessions and then your client
      • Click Show Sessions
      • Select the user you you're logged in as in the RP
      • Click the Sessions tab
      • Click the Logout button for that user
      • Observe the response from postMessage will still be unchanged instead of changed

      You can similarly observe the expected response cycle by having the user agent (in another window) visit their end session url and the postMessage response properly changes to changed.

      Show
      Create a new realm Create a client for that realm Create a user for that realm Log that user in from your RP Visit a page on the RP that has the RP iframe to the OP login-status-iframe endpoint Observe the postMessage responses - they will be unchanged Login to the admin console in another session Select Sessions and then your client Click Show Sessions Select the user you you're logged in as in the RP Click the Sessions tab Click the Logout button for that user Observe the response from postMessage will still be unchanged instead of changed You can similarly observe the expected response cycle by having the user agent (in another window) visit their end session url and the postMessage response properly changes to changed .
    • NEW
    • NEW

    Description

      After hooking up an iframe in our RP to the login-status-iframe endpoint of a realm, I've observed the following:

      • If the keycloak session expires naturally, the iframe postMessage returns changed
      • If the user agent visits the realms end_session_endpoint, the iframe postMessage returns changed
      • If I forcible Logout a user via the admin console (Sessions -> Logout All or Logout the individual session), the iframe postMessage continues to return unchanged

      I would expect this to return changed just like what occurs when users' sessions are removed via the two other methods that work, unless I'm misunderstanding something and this is expected behavior? (I'm new to keycloak).

      Trace of clicking Logout for individual user in admin console

      18:44:46,823 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
18:44:46,823 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
18:44:46,823 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: master
18:44:46,823 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,824 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-115) Found key: realm=master kid=f-2QeAp0wgmV0yJ1t0N3Mglao3iKLzlUzdK5ihz89C4 algorithm=RS256 use=SIG
18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 06e484ad-32c7-400f-a5f1-d37acc548a85
18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 06e484ad-32c7-400f-a5f1-d37acc548a85
18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: security-admin-console
18:44:46,824 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: security-admin-console
18:44:46,824 DEBUG [org.keycloak.services.resources.admin.AdminRoot] (default task-115) authenticated admin access for: admin
18:44:46,824 DEBUG [org.keycloak.services.resources.Cors] (default task-115) Added CORS headers to response
18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: org1
18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: org1-realm
18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: org1-realm
18:44:46,825 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: org1-realm
18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) getClientRole cache hit: org1-realm.manage-users
18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
18:44:46,826 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Logging out: org1_user (dfc03fa8-c333-4092-a992-05ba67cf1b0f) offline: false
18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: account
18:44:46,826 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: account
18:44:46,826 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: ADD on dfc03fa8-c333-4092-a992-05ba67cf1b0f
18:44:46,827 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
18:44:46,827 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
18:44:46,827 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: client1
18:44:46,827 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
18:44:46,827 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
18:44:46,827 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) backchannel logout to: client1
18:44:46,827 DEBUG [org.keycloak.services.managers.ResourceAdminManager] (default task-115) Cant logout {0}: no logged adapter sessions
18:44:46,827 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
18:44:46,828 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: client1
18:44:46,828 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
18:44:46,828 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
18:44:46,828 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) All clients have been logged out for user org1_user in org1 realm, session dfc03fa8-c333-4092-a992-05ba67cf1b0f
18:44:46,828 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REMOVE on dfc03fa8-c333-4092-a992-05ba67cf1b0f
18:44:46,828 TRACE [org.keycloak.events] (default task-115) operationType=DELETE, realmId=master, clientId=9cd51452-c25f-4934-ac57-8d06fbffe1b3, userId=06e484ad-32c7-400f-a5f1-d37acc548a85, ipAddress=<redacted>, resourceType=USER_SESSION, resourcePath=sessions/dfc03fa8-c333-4092-a992-05ba67cf1b0f, requestUri=https://<redacted>/auth/admin/realms/org1/sessions/dfc03fa8-c333-4092-a992-05ba67cf1b0f, cookies=[_ga=GA1.2.1309218180.1583959463]
18:44:46,828 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
18:44:46,828 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
18:44:46,916 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
18:44:46,916 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
18:44:46,916 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: master
18:44:46,916 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,916 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-115) Found key: realm=master kid=f-2QeAp0wgmV0yJ1t0N3Mglao3iKLzlUzdK5ihz89C4 algorithm=RS256 use=SIG
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 06e484ad-32c7-400f-a5f1-d37acc548a85
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 06e484ad-32c7-400f-a5f1-d37acc548a85
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: security-admin-console
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: security-admin-console
18:44:46,917 DEBUG [org.keycloak.services.resources.admin.AdminRoot] (default task-115) authenticated admin access for: admin
18:44:46,917 TRACE [org.keycloak.services.resources.Cors] (default task-115) No origin header ignoring
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: org1
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,917 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: master
18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: org1-realm
18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: org1-realm
18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: org1-realm
18:44:46,918 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) getClientRole cache hit: org1-realm.manage-users
18:44:46,918 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
18:44:46,918 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end

      Trace of user agent visiting end_session_endpoint

      18:49:13,727 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
18:49:13,727 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: org1
18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
18:49:13,728 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-115) Found key: realm=org1 kid=e0e89566-c57e-4ecf-befd-aadce1acd960 algorithm=HS256 use=SIG
18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
18:49:13,728 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
18:49:13,729 DEBUG [org.keycloak.protocol.oidc.endpoints.LogoutEndpoint] (default task-115) Initiating OIDC browser logout
18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
18:49:13,729 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Logging out: org1_user (e41615eb-c84c-4c67-89d5-3da3808a07cc)
18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: account
18:49:13,729 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: account
18:49:13,729 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the requests header
18:49:13,729 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the cookies field
18:49:13,729 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value e41615eb-c84c-4c67-89d5-3da3808a07cc.356bcff2edd1
18:49:13,729 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: ADD on e41615eb-c84c-4c67-89d5-3da3808a07cc
18:49:13,730 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Set AUTH_SESSION_ID cookie with value e41615eb-c84c-4c67-89d5-3da3808a07cc.356bcff2edd1
18:49:13,730 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
18:49:13,730 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
18:49:13,730 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: client1
18:49:13,730 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: org1
18:49:13,730 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
18:49:13,730 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) backchannel logout to: client1
18:49:13,730 DEBUG [org.keycloak.services.managers.ResourceAdminManager] (default task-115) Cant logout {0}: no logged adapter sessions
18:49:13,730 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
18:49:13,730 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: account
18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: account
18:49:13,731 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the requests header
18:49:13,731 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) {1} cookie found in the cookies field
18:49:13,731 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value e41615eb-c84c-4c67-89d5-3da3808a07cc.356bcff2edd1
18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: account
18:49:13,731 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on e41615eb-c84c-4c67-89d5-3da3808a07cc
18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: client1
18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
18:49:13,731 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
18:49:13,731 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) All clients have been logged out for user org1_user in org1 realm, session e41615eb-c84c-4c67-89d5-3da3808a07cc
18:49:13,731 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring identity cookie
18:49:13,731 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_IDENTITY path: /auth/realms/org1/
18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_SESSION path: /auth/realms/org1/
18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_IDENTITY path: /auth/realms/org1
18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_SESSION path: /auth/realms/org1
18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring remember me cookie
18:49:13,732 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/org1/
18:49:13,732 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) getuserById 4d39678a-c118-48b8-9aa3-d71bfcfbfe13
18:49:13,732 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-115) return managedusers
18:49:13,732 TRACE [org.keycloak.events] (default task-115) type=LOGOUT, realmId=org1, clientId=null, userId=4d39678a-c118-48b8-9aa3-d71bfcfbfe13, ipAddress=<redacted>, authSessionParentId=e41615eb-c84c-4c67-89d5-3da3808a07cc, authSessionTabId=i8pLWBaRsmU, requestUri=https://<redacted>/auth/realms/org1/protocol/openid-connect/logout, cookies=[KEYCLOAK_IDENTITY=<redacted>, KEYCLOAK_SESSION=org1/4d39678a-c118-48b8-9aa3-d71bfcfbfe13/e41615eb-c84c-4c67-89d5-3da3808a07cc, AUTH_SESSION_ID=e41615eb-c84c-4c67-89d5-3da3808a07cc.356bcff2edd1]
18:49:13,732 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REMOVE on e41615eb-c84c-4c67-89d5-3da3808a07cc
18:49:13,732 DEBUG [org.keycloak.protocol.oidc.endpoints.LogoutEndpoint] (default task-115) finishing OIDC browser logout
18:49:13,732 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper  commit
18:49:13,733 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
18:49:14,561 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
18:49:14,561 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
18:49:14,561 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
18:49:14,561 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
18:49:14,561 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1205/0x000000084143f040

      Attachments

        Activity

          People

            Unassigned Unassigned
            von1184 Geoff Von Allmen (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: