Logout not working (Keystone <-> Keycloak )

[smarques]

Hi, I have completed a test integration with Keycloak as identity provider using your backend example. Everything works fine except for the logout function. Here's how I reproduce the problem:

• On keystone login page click on 'Login with Keycloak'
• You are redirected to Keycloak (correct) where you login
• You are then redirected back to Keystone and you are logged in correctly.
• Click on Signout
• You are correctly signed out and taken back to the login page (correct)
• Now if I click on 'Login with Keycloak again', I am automatically logged in with my previous user, there is no way I can login with a different account.

If I check in Keycloak I can see the user's session is still active. I think there should be a way for keystone to signal to keycloak that the user has ended their session. I know the .well-known file exposes a end_session_endpoint, I am wondering if this should be used somehow.

TIA

[smarques]

Also, looking at nextauthjs/next-auth#3938

[borisno2]

Hi @smarques This is something that is complicated by both how Keystone handles the signout and how Next handles a signout. Currently the behaviour is that clicking signout just clears the local cookie - using the default Navigation component in Keystone.

This is something that probably could bemade better in your own project by customising the Navigation component and using the Next-auth react logout function https://keystonejs.com/docs/guides/custom-admin-ui-navigation#navigation-container. We would then potentially need to expose some of the callback functions to configure that as per nextauthjs/next-auth#3938

[smarques]

Yes I have already replaced the navigation with my own, in order to override the Sign Out Button component.
My idea was to have the button send the user to some /auth/federated-logout endpoint that would take care of ending sessions on both sides... I thought I could just add a file from ./customPages/federated-logout.js. but I am not sure that would pass the middleware that the plugin registers, maybe that needs editing too.

• A few more questions:
  Does the system support having multiple identity providers? I ask because it seems that only the subjectId gets saved to the user list, but then what happens if the same user comes back and chooses a different auth provider (say one login with keycloak and one with google).. this would create two users with same email if the email column is not unique'd otherwise throw an error?
• If I want to log the user out from the auth provider, how do I know which auth provider the user has logged in? Is there a way to add it to the session?

Thanks for any help

[borisno2]

Great, you should be able to add your own middleware that adds further functionality you need using the keystone ui.pageMiddleware config. Let me know if there is anything you feel needs to be changed here to help with this.

Yes, The plugin does allow for multiple auth providers. As each provider might have a slightly different structure in what they provide to user, account and profile you will need to handle this in your resolver to map the values correctly to your schema.

My recommendation, in this case, is to not have email as unique, create a second user, and add functionality that allows users to merge their profiles - having authenticated as each that is being merged. This reduces the risk of bad actors impersonating a user by creating a second account with the same email address and straight away getting access to their data.

You should be able to add a provider to your schema, and have this available in your sessionData you will need to map this in resolver