Can't get SingleSignOut to work

Created on 17 January 2020, almost 5 years ago
Updated 23 May 2023, over 1 year ago

I have looked into Add Single Sign Out using OpenID Connect Session Management and Single Sign Out endpoint Fixed and as I have the dev release of both keycloak and openid_connect installed, I thought I should have everything required. I checked the code in the patches and it seems all to be in my code base.

Now I enable keycloak_sign_out which is set to true, but when I logout from Drupal I still remain logged into KeyCloak.

Can you give me some advise on what needs to be done to get this to work?

🐛 Bug report
Status

Active

Version

2.2

Component

Code

Created by

🇩🇪Germany jurgenhaas Gottmadingen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇧🇪Belgium BramDriesen Belgium 🇧🇪

    I believe this is how it's designed to work.

    It doesn't mean if you log-out from Drupal that you should be logged out from Keycloak as well. That would break the whole idea behind SSO. You can set different timeout rules from within Drupal and Keycloak. For example your Keycloak credentials can be valid for 8 hours, but your Drupal session is destroyed after one hour, prompting you again to log-in or at least hit the keycloak login page.

  • 🇩🇪Germany jurgenhaas Gottmadingen

    @BramDriesen I couldn't agree more, only opened this issue 3 years ago because my client at the time thought, this is what they needed. We since have changed the strategy and don't use this anymore.

    However, whether we like it or not, what else is the purpose of the keycloak_sign_out option if not exactly that: sign out from keycloak when you sign out from Drupal? Yes, it's strange, but that's what it should do. I've since seen not only one implementation of SSO scenarios where exactly that was what people were looking for, I'm afraid.

  • Status changed to Active almost 2 years ago
  • 🇧🇪Belgium BramDriesen Belgium 🇧🇪

    Good question! I have no idea myself as I also only recently adopted the module to help maintain it.

    Will set it back to active to have a more in depth look in the ticket which added the functionality. Seems like people there also reported it not to work.

  • 🇧🇪Belgium BramDriesen Belgium 🇧🇪
  • 🇫🇷France nguerinet

    I'm working with this module and try to understand where the issue should be.

    In KeycloakController file, the user is first logged out and then we try to redirect to keycloak logout with sso_token.
    We are not redirect to /keycloak/logout?id_token=... because we are no longer connected.

    The solution I try is to logout the user when the user is logged out from SSO (that's what we want) and only log out the user in Controller if KeycloakSignout is not enabled.

    For the record I worked with the version 1.7 of the module

Production build 0.71.5 2024