Skip to content

Single Sign Out not working in combination with keycloak #5000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Elyytscha opened this issue Feb 23, 2023 · 5 comments
Closed

Single Sign Out not working in combination with keycloak #5000

Elyytscha opened this issue Feb 23, 2023 · 5 comments

Comments

@Elyytscha
Copy link

I think something is not working in combination with openid connect via keycloak in stackrox and single sign logout.

If a user logs out in stackrox, which is logged in via an oidc auth provider (keycloak client), stackrox redirects to:

https://stackrox.example.com/sso/session/logout

what i would expect is that stackrox redirects to something like:

https://keycloak.example.com/auth/realms/external/protocol/openid-connect/logout?redirect_uri=https://stackrox.example.com/sso/session/logout

So single sign logout would work? but maybe i have misunderstood this topic.
I just dont get single sign logout to work within stackrox, regardless how i configure the keycloak client.

How i configured keycloak and stackrox, i followed basically those 2 documents:
stackrox and keycloak: https://blog.stderr.at/acs/2021-12-11-acsauth/
single sign logout: https://developers.redhat.com/articles/2022/12/07/how-implement-single-sign-out-keycloak-spring-boot
@charmik-redhat
Copy link
Contributor

@stackrox/merlin Do you know about this?

@stehessel
Copy link
Collaborator

Hi @Elyytscha, we currently don't support single sign out in stackrox, so the observed behavior is expected, and not because of a misconfiguration on your side.

@stehessel stehessel closed this as not planned Won't fix, can't repro, duplicate, stale Feb 28, 2023
@Elyytscha
Copy link
Author

Elyytscha commented Mar 1, 2023
edited
Loading

Just asking, so stackrox is basically violating the oidc spec?
https://openid.net/specs/openid-connect-rpinitiated-1_0.html
https://openid.net/specs/openid-connect-backchannel-1_0.html

in my opinion this is a nogo in security related tooling

@dhaus67
Copy link
Contributor

dhaus67 commented Mar 1, 2023

Hey @Elyytscha.

If you read through the spec, you can see that the implementation of both the front-channel as well as the back-channel logout is optional. The implementation considerations specifically call this out:

This specification defines features used by both Relying Parties and OpenID Providers that choose to implement RP-Initiated Logout.

There's other solutions as well which currently do not implement this, such as Spring Security.

So, there's no "violation" of the OIDC spec, we currently simply do not support it.

@Elyytscha
Copy link
Author

Hello,

If you read through the spec, you can see that the implementation of both the front-channel as well as the back-channel logout is optional. The implementation considerations specifically call this out:

agree, sorry didn't saw that this is optional

There's other solutions as well which currently do not implement this, such as spring-projects/spring-security#7845.

fine, but they prioritized it and they are working on it, over here the decision was to close the ticket.

just to note we have it as business case to support SLO in all our applications / infrastructure we provide for our customer, because some of our customers are using shared workstations and their business requirement is that SLO works through all applications they use, so also for the applications / infrastructure we provide for them.

best regards,
Elyytscha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Elyytscha @stehessel @dhaus67 @charmik-redhat