Keycloak-JS18 Fails To Automatically Logout After a Failed Token Refresh #14568
Labels
area/adapter/javascript
area/oidc
Indicates an issue on OIDC area
help wanted
kind/bug
Categorizes a PR related to a bug
priority/low
status/auto-bump
status/auto-expire
team/core-clients
Describe the bug
After upgrading our keycloak server and keycloak-js adapter to keycloak 18 we are no longer seeing an automatic logout when a user's token expires. Instead users have been getting stuck inside our application with an expired JWT after a failed token refresh. Logging out with an active session works as expected.
In Keycloak 18 the redirect_uri parameter was deprecated. Instead docs say to use the new parameters id_token_hint and post_logout_redirect_uri when making a request to the logout endpoint for keycloak instead of redirect_uri.
The logout function on the frontend however did not change much from the consumer's perspective. The API was the same and all it expects is a redirectURI as an optional parameter. But the way the logout URL is built behind the scenes did change to automatically convert the redirectURI into the new post_logout_redirect_uri parameter and add the idToken to the logout request automatically.
This change to the way the logout URL is built is the reason for the bug. Notice how when a token refresh fails, the tokens are cleared. This means that all of the tokens are cleared including the idToken. This explains why logging out works during an active session but the adapter fails to automatically log out after a failed token refresh. Its because the failed token refresh removes a variable needed to build the new logout url!
Our current workaround for this is to save the idToken, listen for a failed token refresh, reset the token on the keycloak object and then manually logout which defeats the purpose of the keycloak-js adapter taking care of session state management.
keycloak.onAuthRefreshError( () => { keycloak.idToken = ourSavedIdToken; keycloak.logout(); })
Version
18.0.1
Expected behavior
When a session expires and a token refresh fails, keycloak should log the user out.
Actual behavior
When a session expires and a token refresh fails, keycloak is unable to log the user out because their idToken is cleared making it impossible to build a valid keycloak 18 logout request.
How to Reproduce?
There are a few ways you could reproduce this issue:
Option 1:
Option 2:
Anything else?
No response
The text was updated successfully, but these errors were encountered: