-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backchannel Logout silently not sent, if Frontchannel Logout is enabled as well #15058
Comments
I would assume this is expected - you either do backchannel or front channel logout? |
Then again I don't understand why one wouldn't just let the BCL run as well - especially if FCL has failed, the Specs clearly say, that if a Session has already been logged out, then the BCL is supposed to succeed anyway and do nothing on the client side. |
I'm not the first person getting caught off guard by this: https://keycloak.discourse.group/t/backchannel-logout-url-not-working/17121/4 |
There is probably a better way to convey what is happening. Still I am not sure why you would want to have both at the same time? What is your use case there? |
I have no use case for this yet, I forgot to turn it off after testing, forgot I ever had it on, and then had to wonder why BCL wasn't doing anything anymore. I don't know if this behavior is obvious to me but:
This is an arbitrary decisions by the Software and should be communicated to the user properly or removed completely. |
If I wanted to log out users, I would choose one way to do it. I currently don't know a use case where you would want to have both at the same time. But yes, it should be clear only one of two ways is supported at the same time. |
I think should be mutually exclusive. The UI should do a cross field validation in order to throw an error if both logouts are enabled. On the other hand the backchannel logout should have a enabled/disabled button in order to hide or show all the backchannel options (IMO) |
Thanks for the report, but unfortunately due the amount of other reported issues and other priorities, Keycloak team does not have time to properly triage this bug. So preliminary added to Backlog for now.
|
Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment. If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue. |
@pjgg @sschu @FAUSheppy Thanks for the report and discussion. Agree that UI should prevent to enable both frontchannel and backchannel logout. Also server-side should have validation and probably throw an error if there is an attempt to enable both during client creation/update. PR is welcome to improve this as not sure when Keycloak team has time to prioritize this. |
Describe the bug
Backchannel Logout is not sent, if Frontchannel Logout is enabled as well
Relevant lines:
keycloak/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
Line 479 in e6a5f9c
Version
16.0.1
Expected behavior
Actual behavior
Backchannel logout just doesn't work (nothing sent out from Keycloak), no errors, UI doesn't prevent me from making this setting.
How to Reproduce?
Enable both Backchannel logout and Frontchannel logout, if you hit logout, no Backchannel Logout request is sent.
Anything else?
No response
The text was updated successfully, but these errors were encountered: