Backchannel Logout silently not sent, if Frontchannel Logout is enabled as well

[FAUSheppy]

Describe the bug

Backchannel Logout is not sent, if Frontchannel Logout is enabled as well

Relevant lines:

keycloak/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

Line 479 in e6a5f9c

if (client.isFrontchannelLogout()

Version

16.0.1

Expected behavior

• UI stops me from enabling both
• OR both working
• OR at least some sort of error

Actual behavior

Backchannel logout just doesn't work (nothing sent out from Keycloak), no errors, UI doesn't prevent me from making this setting.

How to Reproduce?

Enable both Backchannel logout and Frontchannel logout, if you hit logout, no Backchannel Logout request is sent.

Anything else?

No response

[sschu]

I would assume this is expected - you either do backchannel or front channel logout?

[FAUSheppy]

• Nothing in the OIDC protocol says I can't do both as far as I know.
• I think not allowing to enable both is fine as well
• Just silently not doing BCL without any error, warning, after you enabled Frontchannel by accident or for testing is unexpected and disruptive behavior. If BCL and FCL are mutually exclusive (which I don't think they are), then the Frontend should reflect that.

Then again I don't understand why one wouldn't just let the BCL run as well - especially if FCL has failed, the Specs clearly say, that if a Session has already been logged out, then the BCL is supposed to succeed anyway and do nothing on the client side.

[FAUSheppy]

I'm not the first person getting caught off guard by this: https://keycloak.discourse.group/t/backchannel-logout-url-not-working/17121/4

[sschu]

There is probably a better way to convey what is happening. Still I am not sure why you would want to have both at the same time? What is your use case there?

[FAUSheppy]

I have no use case for this yet, I forgot to turn it off after testing, forgot I ever had it on, and then had to wonder why BCL wasn't doing anything anymore.

I don't know if this behavior is obvious to me but:

• it isn't obvious to me
• there is nothing in the protocol to indicate this
• there is nothing in Keycloak to indicate this

This is an arbitrary decisions by the Software and should be communicated to the user properly or removed completely.

[sschu]

If I wanted to log out users, I would choose one way to do it. I currently don't know a use case where you would want to have both at the same time. But yes, it should be clear only one of two ways is supported at the same time.

[pjgg]

I think should be mutually exclusive. The UI should do a cross field validation in order to throw an error if both logouts are enabled. On the other hand the backchannel logout should have a enabled/disabled button in order to hide or show all the backchannel options (IMO)

[mposolda]

Thanks for the report, but unfortunately due the amount of other reported issues and other priorities, Keycloak team does not have time to properly triage this bug. So preliminary added to Backlog for now.
It will be helpful if:

• You can verify if still applicable in latest Keycloak released version. If not, then it is welcome to close this issue.
• If you figure that this may not be a valid bug (for example just a mistake in configuration etc), it will be also welcome to close this issue
• If still applicable in latest version, it will be welcome to add the comment as well, that this was still reproduced with latest Keycloak version as it is very valuable info. Anyone is welcome to comment with this or add other relevant comments to this issue.

[keycloak-github-bot]

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.

[mposolda]

@pjgg @sschu @FAUSheppy Thanks for the report and discussion. Agree that UI should prevent to enable both frontchannel and backchannel logout. Also server-side should have validation and probably throw an error if there is an attempt to enable both during client creation/update.

PR is welcome to improve this as not sure when Keycloak team has time to prioritize this.