Before reporting an issue

[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

login/ui

Describe the bug

On discussion #31265 I reported this bug.

The scenario:

• I login using the authorization_code flow via keycloak login page
• My application issues a new token
• Via keycloak administrative console, I force that user session logout
• At this moment the backchannel logout triggers, and my app stores the SID claim of the logout_token in a blacklist to guarantee that all tokens issued with that SID will be denied.
• When I navigate again to the keycloak login page, the browser session uses the same SID via AUTH_SESSION_ID from the previous login (the cookie was restored/reused).
• After enter with my credentials, another token will be issued (by my app) with that same SID, and my app will deny this new token because that SID was already logged out

Version

25.0.2

Regression

[ ] The issue is a regression

Expected behavior

In my opinion, Keycloak should not accepting SIDs (via AUTH_SESSION_ID cookie) that were already logged out.

Sessions "reborn" that was already dead (logged out) is a strange behavior, in my opinion.

This turns in a complex token management, my application will need to also to keep the "iat" claim of the logout_token, to be possible to accept or deny tokens with a specific SID.

For example, with the current behavior, my application will need to validate access tokens in this way:

• the SID of the token were logged out in some moment?
• the "iat" claim of the access token is after the SID logout moment? If so, I will accept it. Otherwise, I will deny it.

Actual behavior

As mentioned in the scenario in description.

How to Reproduce?

As mentioned in the scenario in description.

Anything else?

No response