Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quarkus oidc integration, backchannel logout support #23477

Closed
tassadar81 opened this issue Feb 7, 2022 · 5 comments · Fixed by #24611
Closed

Quarkus oidc integration, backchannel logout support #23477

tassadar81 opened this issue Feb 7, 2022 · 5 comments · Fixed by #24611
Assignees
@sberyozkin
Labels
area/oidc kind/enhancement New feature or request
Milestone
2.9.0.CR1

Comments

@tassadar81
Copy link

Description

As discussed with @sberyozkin on Zulip a backchannel logout feature is missing in the oidc quarkus integration. In some scenarios like two clients in the same realm such functionality is necessary. The route for backchannel consumes a jwt token and i guess it has to be public and able to reconize the user session from this token.
An old issue was opend btw, i report it here for reference #4481

Thank you

Implementation ideas

No response
@tassadar81 tassadar81 added the kind/enhancement New feature or request label Feb 7, 2022
@quarkus-bot quarkus-bot bot added the area/oidc label Feb 7, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Feb 7, 2022

/cc @pedroigor, @sberyozkin

@sberyozkin sberyozkin mentioned this issue Feb 22, 2022
Closed
@orivat
Copy link

orivat commented Feb 23, 2022
edited
Loading

@sberyozkin

I have made a test with:
-Keycloak
-quarkus OIDC client app (1)
-Jboss OIDC client app (2)

step 1
Jboss and quarkus are authenticated against Keycloak

step 2:
The user session is terminated at Keycloak

step3:
-Jboss app is disconnected
-Quarkus app remains active.

With Jboss app, keycloak is using JBoss client adapater.
When you click the Logout all button (of keycloak), all SSO cookies become invalid, and clients requesting authentication within active browser sessions must log in again. Keycloak notifies clients by using the Keycloak OIDC client adapter of the logout event

I agree that Quarkus client apps do not receive logout back channel notification, as mentioned in thread #23477

Therefore to prepare migration from wildly /jboss app to quarkus, being able to support RP backchannel notifications is something really important for a seamless integratin for OIDC client.

@sberyozkin sberyozkin self-assigned this Mar 14, 2022
@sberyozkin
Copy link
Member

@orivat This is the issue I'd try to prioritize upon.

@tassadar81 @pedroigor How does Keycloak do the backchannel logout ? The way it is described at https://openid.net/specs/openid-connect-backchannel-1_0.html or differently ? I have not been able to confirm it in the docs.

Thanks

@sberyozkin
Copy link
Member

@tassadar81 @pedroigor If it is a logout JWT token then we can verify it and then compare its iss/aud claim values with the ones from the current ID token and remove the session token in case of the match

@sberyozkin sberyozkin mentioned this issue Mar 29, 2022
Merged
@sberyozkin
Copy link
Member

@orivat we have a draft PR at #24611 and will do a few more checks; in meantime, if you could try that PR in your setup and let us know if it works as expected then it would help, thanks

@quarkus-bot quarkus-bot bot added this to the 2.9 - main milestone Apr 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
2.9.0.CR1
Development

Successfully merging a pull request may close this issue.

Add support for OIDC BackChannel Logout sberyozkin/quarkus
3 participants
@sberyozkin @orivat @tassadar81