When the user connects using Keycloak, the validity of the Keycloak session should be checked on page load. If the Keycloak sesssion expired, the Drupal session should be terminated as well.

Furthermore, the Single Sign Out endpoint of Keycloak should be triggered, if a user that signed in with Keycloak loggs off from Drupal.

CommentFileSizeAuthor
#7 interdiff-keycloak-2920952-1.patch33.17 KBMario Steinitz
#6 keycloak-2920951-4.patch33.12 KBMario Steinitz
#5 keycloak-12330376-3.patch32.79 KBMario Steinitz
#4 keycloak-12330376-2.patch31.8 KBMario Steinitz
#3 keycloak-12330376-1.patch42.84 KBMario Steinitz
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Mario Steinitz created an issue. See original summary.

Mario Steinitz’s picture

Mario Steinitz
Location Hong Kong Central
CreditAttribution: Mario Steinitz at SHORELESS Limited commented
Version: » 8.x-1.x-dev
Assigned: Unassigned » Mario Steinitz
Mario Steinitz’s picture

Mario Steinitz
Location Hong Kong Central
CreditAttribution: Mario Steinitz at SHORELESS Limited commented
Status: Active » Needs review
FileSize
keycloak-12330376-1.patch42.84 KB

Initial version that supports Single Sign-Out.

Prerequisites

- OpenID Connect 8.x-1.x-dev

- OpenID Connect patch from issue #2921095 applied.

Known issues & limitations

No automatic session renewal after SO session changes detected

OpenID Connect specifications suggest to try renewing the tokens with a prompt-less request to the auth server. However, we didn't like to alter too much for now. The patched solution does not try to refresh sessions after OP logout was detected. Instead the user will immediately be redirected to Drupal's <front> page.

Sign out race conditions

When Drupal initiated Single Sign-Out takes place (e.g. when the user logs out in Drupal) and Keycloak initiated Single Sign Out detection in Drupal is enabled, both mechanisms may try to log the user out and redirect to the start page.
The asynchronous in-page JavaScript requests (that check for OP initiated sign-outs) may recognize a terminated session even before Keycloak answered with a redirect to a RP initiated sign-out request (e.g. when the user logs out in Drupal). As both sign out mechanisms redirect to the front page, the user experience won't be much affected.

No automated testing

Mario Steinitz’s picture

Mario Steinitz
Location Hong Kong Central
CreditAttribution: Mario Steinitz at SHORELESS Limited commented
FileSize
keycloak-12330376-2.patch31.8 KB

Merged KeycloakService into 8.x-1.x-dev and re-rolled the patch.

Will wait with merging single sign-out features, till there is feedback from the openid_connect maintainers about the supposed changes to its after authorization hook (issue #2921095), which our single sign-out heavily depends on.

Mario Steinitz’s picture

Mario Steinitz
Location Hong Kong Central
CreditAttribution: Mario Steinitz at SHORELESS Limited commented
FileSize
keycloak-12330376-3.patch32.79 KB

Fixes some coding standard issues.

Mario Steinitz’s picture

Mario Steinitz
Location Hong Kong Central
CreditAttribution: Mario Steinitz at SHORELESS Limited commented
FileSize
keycloak-2920951-4.patch33.12 KB

Re-rolled patch for current 8.x-1.x-dev version.

Mario Steinitz’s picture

Mario Steinitz
Location Hong Kong Central
CreditAttribution: Mario Steinitz at SHORELESS Limited commented
FileSize
interdiff-keycloak-2920952-1.patch33.17 KB

This is an interdiff to patch of issue #2920952.

If you like to enable single sign-out and groups mapping in the current 8.x-1.x-dev version (for testing purposes):
- apply the patch of issue #2921095 to the dev version of the openid_connect module,
- apply the groups mapping patch of issue #2920952 to the keycloak module dev version,
- then apply this interdiff to the keycloak module dev version.

  • Mario Steinitz committed 5fbd490 on 8.x-1.x-2920951-single-sign-out 
    Issue #2920951: Add single sign-out support.
Mario Steinitz’s picture

Mario Steinitz
Location Hong Kong Central
CreditAttribution: Mario Steinitz at SHORELESS Limited commented

Not yet production ready. The above branch still depends on https://www.drupal.org/files/issues/openid_connect-2921095-5.patch and will be merged to the module, once the openid_connect maintainers decided about this patch.

Mario Steinitz’s picture

Mario Steinitz
Location Hong Kong Central
CreditAttribution: Mario Steinitz at SHORELESS Limited commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

msmorais’s picture

msmorais CreditAttribution: msmorais commented

logout of the keycloak is not working for me

hiralshah1991’s picture

hiralshah1991 CreditAttribution: hiralshah1991 commented

Keycloak initiated single sign out is not working,
This is the scenario
After the check session interval meets, Drupal user gets logout but there is still session in the keycloak server for that user.

I did some debugging and anticipated once the checksession time meets, Drupal app send a request to login-status-iframe.html with client ID and sessionId, but when iframe trys to read the the cookie to match with the received session ID from Drupal app it does not match as iframe is not able to read cookie, it stays null , as a result it responds "changed" to Drupal app and Drupal app logs the user out by calling /user/logout?op_initiated=1

Can someone please helpe to resolve this or guide me what should I do for making this work?

BramDriesen’s picture

BramDriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
CreditAttribution: BramDriesen as a volunteer and at Sopra Steria commented
Related issues: +#3107127: Can't get SingleSignOut to work

Follow up issue for #14 and #15 here #3107127: Can't get SingleSignOut to work