keycloak/keycloak
Voir sur GitHubDisabling a User Does Not Remove Sessions, and User Deletion Does Not Trigger Logout Requests
Open
#37 981 ouverte le 10 mars 2025
area/corehelp wantedkind/enhancementteam/core-iamteam/core-shared
Métriques du dépôt
- Stars
- (34 398 stars)
- Métriques de merge PR
- (Merge moyen 6j 19h) (384 PRs mergées en 30 j)
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
No response
Describe the bug
Description I have observed two issues related to session management in Keycloak:
-
Disabling a User Does Not Remove Active Sessions
- When an admin disables a user (e.g., via the admin console), the user's active sessions remain open.
- Expected Behavior: Disabling a user should immediately remove all active sessions and trigger a logout request to registered clients.
-
User Deletion Does Not Trigger Backchannel Logout
- When an admin deletes a user, all their sessions are removed from Keycloak, but no backchannel logout request is sent to registered clients.
- This means clients are unaware of the session removal and do not clean up their own sessions accordingly.
- Expected Behavior: When a user is deleted, Keycloak should notify the affected clients where backchannel logout is configured.
Version
25.0.5, 25.0.6 , 26.1.3
Regression
- The issue is a regression
Expected behavior
- Disabling a user should immediately terminate all active sessions.
- Deleting a user should trigger a logout request to registered clients.
Actual behavior
- Disabling users retain their active sessions.
- No backchannel logout request is sent when a user is deleted.
How to Reproduce?
- Ensure that backchannel logout is configured.
- Disable a user and check if their Sessions are still active.
- Delete a user and verify if registered clients receive a logout request.
Anything else?
No response