Keycloak-JS18 Fails To Automatically Logout After a Failed Token Refresh

[RyanLefebvre]

Describe the bug

After upgrading our keycloak server and keycloak-js adapter to keycloak 18 we are no longer seeing an automatic logout when a user's token expires. Instead users have been getting stuck inside our application with an expired JWT after a failed token refresh. Logging out with an active session works as expected.

In Keycloak 18 the redirect_uri parameter was deprecated. Instead docs say to use the new parameters id_token_hint and post_logout_redirect_uri when making a request to the logout endpoint for keycloak instead of redirect_uri.

The logout function on the frontend however did not change much from the consumer's perspective. The API was the same and all it expects is a redirectURI as an optional parameter. But the way the logout URL is built behind the scenes did change to automatically convert the redirectURI into the new post_logout_redirect_uri parameter and add the idToken to the logout request automatically.

This change to the way the logout URL is built is the reason for the bug. Notice how when a token refresh fails, the tokens are cleared. This means that all of the tokens are cleared including the idToken. This explains why logging out works during an active session but the adapter fails to automatically log out after a failed token refresh. Its because the failed token refresh removes a variable needed to build the new logout url!

Our current workaround for this is to save the idToken, listen for a failed token refresh, reset the token on the keycloak object and then manually logout which defeats the purpose of the keycloak-js adapter taking care of session state management.

keycloak.onAuthRefreshError( () => { keycloak.idToken = ourSavedIdToken; keycloak.logout(); })

Version

18.0.1

Expected behavior

When a session expires and a token refresh fails, keycloak should log the user out.

Actual behavior

When a session expires and a token refresh fails, keycloak is unable to log the user out because their idToken is cleared making it impossible to build a valid keycloak 18 logout request.

How to Reproduce?

There are a few ways you could reproduce this issue:

Option 1:

1. Create a button that when clicked will refresh the signed in user's token
2. Sign in as a keycloak user and get a valid token
3. Check when the token expires
4. Wait until the token expires and then click on the button to refresh your token
5. You will see that you are not automatically logged out, the refresh fails and that keycloak will print an uncaught promise error to the console

Option 2:

1. Create a button that when clicked will refresh the user's token and then logout the signed in keycloak user
2. Sign in as a keycloak user and get a valid token
3. Check when the token expires
4. Wait until the token expires and then click on the button to logout
5. You will see that a request is made to logout but keycloak returns an error of 'invalid_id_token'

Anything else?

No response

[RyanLefebvre]

I just opened this pull request with a fix that solves this issue: #14569

[mposolda]

It is possible that this issue is already fixed in latest Keycloak main. Commented on the related PR #14569 , we can possibly continue discussion on the PR.

[rmalenko]

Hi,

I have got the same error but with login

[keycloak-github-bot]

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.