keycloak/keycloak

Disabling a User Does Not Remove Sessions, and User Deletion Does Not Trigger Logout Requests

Open

#37 981 ouverte le 10 mars 2025

Voir sur GitHub
 (10 commentaires) (25 réactions) (0 assignés)Java (8 346 forks)batch import
area/corehelp wantedkind/enhancementteam/core-iamteam/core-shared

Métriques du dépôt

Stars
 (34 398 stars)
Métriques de merge PR
 (Merge moyen 6j 19h) (384 PRs mergées en 30 j)

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

No response

Describe the bug

Description I have observed two issues related to session management in Keycloak:

  1. Disabling a User Does Not Remove Active Sessions

    • When an admin disables a user (e.g., via the admin console), the user's active sessions remain open.
    • Expected Behavior: Disabling a user should immediately remove all active sessions and trigger a logout request to registered clients.
  2. User Deletion Does Not Trigger Backchannel Logout

    • When an admin deletes a user, all their sessions are removed from Keycloak, but no backchannel logout request is sent to registered clients.
    • This means clients are unaware of the session removal and do not clean up their own sessions accordingly.
    • Expected Behavior: When a user is deleted, Keycloak should notify the affected clients where backchannel logout is configured.

Version

25.0.5, 25.0.6 , 26.1.3

Regression

  • The issue is a regression

Expected behavior

  • Disabling a user should immediately terminate all active sessions.
  • Deleting a user should trigger a logout request to registered clients.

Actual behavior

  • Disabling users retain their active sessions.
  • No backchannel logout request is sent when a user is deleted.

How to Reproduce?

  1. Ensure that backchannel logout is configured.
  2. Disable a user and check if their Sessions are still active.
  3. Delete a user and verify if registered clients receive a logout request.

Anything else?

No response

Guide contributeur