I have looked into #2920951: Add Single Sign Out using OpenID Connect Session Management and Single Sign Out endpoint and as I have the dev release of both keycloak and openid_connect installed, I thought I should have everything required. I checked the code in the patches and it seems all to be in my code base.

Now I enable keycloak_sign_out which is set to true, but when I logout from Drupal I still remain logged into KeyCloak.

Can you give me some advise on what needs to be done to get this to work?

Comments

jurgenhaas created an issue. See original summary.

msmorais’s picture

msmorais commented

I have the same problem

davidsharpe’s picture

davidsharpe commented

I also had this problem, but I think I easily resolved it by running drush cr after installing, enabling, and configuring the Keycloak module.

Environment:

Test:

  1. Login with a Keycloak user
  2. Logout using the Drupal logout link
  3. Click the Keycloak login button again
  4. BAD: User is automatically logged in without prompting for credentials

I think the "problem" is here https://git.drupalcode.org/project/keycloak/-/blob/8.x-1.x/src/Routing/K...

  protected function alterRoutes(RouteCollection $collection) {
    // Whether the Keycloak client is disabled.
    if (!$this->keycloak->isEnabled()) {
      return;
    }
  // ...

The alterRoutes method alters the log out process, but the method is only run if the Keycloak OIDC provider is enabled (in the OpenID Connect configuration form), and it's only run when the Keycloak module is first installed. This is an impossible state, because the provider is disabled by default when the module is first installed. You need to force the alterRoutes method to run again after you enable and configure the Keycloak provider in the OpenID Connect configuration form.

After doing this, I repeated the test:

  1. Login with a Keycloak user
  2. Logout using the Drupal logout link
  3. Click the Keycloak login button again
  4. GOOD: User is prompted for Keycloak credentials

I'm not familiar with Drupal so I don't know if this is a "bug" or just typical behaviour for this sort of thing.

bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Status: Active » Closed (works as designed)

I believe this is how it's designed to work.

It doesn't mean if you log-out from Drupal that you should be logged out from Keycloak as well. That would break the whole idea behind SSO. You can set different timeout rules from within Drupal and Keycloak. For example your Keycloak credentials can be valid for 8 hours, but your Drupal session is destroyed after one hour, prompting you again to log-in or at least hit the keycloak login page.

jurgenhaas’s picture

jurgenhaas
he/him
Primary language German
Location Gottmadingen
commented

@BramDriesen I couldn't agree more, only opened this issue 3 years ago because my client at the time thought, this is what they needed. We since have changed the strategy and don't use this anymore.

However, whether we like it or not, what else is the purpose of the keycloak_sign_out option if not exactly that: sign out from keycloak when you sign out from Drupal? Yes, it's strange, but that's what it should do. I've since seen not only one implementation of SSO scenarios where exactly that was what people were looking for, I'm afraid.

bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Version: 8.x-1.x-dev » 2.2.x-dev
Category: Support request » Bug report
Status: Closed (works as designed) » Active

Good question! I have no idea myself as I also only recently adopted the module to help maintain it.

Will set it back to active to have a more in depth look in the ticket which added the functionality. Seems like people there also reported it not to work.

bramdriesen’s picture

bramdriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
commented
Parent issue: » #2920951: Add Single Sign Out using OpenID Connect Session Management and Single Sign Out endpoint
nguerinet’s picture

nguerinet commented

I'm working with this module and try to understand where the issue should be.

In KeycloakController file, the user is first logged out and then we try to redirect to keycloak logout with sso_token.
We are not redirect to /keycloak/logout?id_token=... because we are no longer connected.

The solution I try is to logout the user when the user is logged out from SSO (that's what we want) and only log out the user in Controller if KeycloakSignout is not enabled.

For the record I worked with the version 1.7 of the module, but when reading the code for 2.2 version the behaviour seems to be the same.

j-lee’s picture

j-lee
he/him
Primary language German
Location 🇩🇪🇪🇺
commented

Is this still an issue with the latest version?