greenlight icon indicating copy to clipboard operation
greenlight copied to clipboard

Published 20 hours ago verified publisher icon bigbluebutton

greenlight v3 - Logout not function with keycloak

Open alyfilipe opened this issue 1 year ago • 8 comments

Dear,

When I logout in the GL V3 it does not sensitize the keycloack, which keeps my session active. If I try to log in again, it doesn't ask for my credentials and already sends me logged in to GL . Is this correct? How to make GL inform the keycloak about the logout session? Logout URL to force user to log out of keycloack?

Thank you for options so that you can finalize the tests and put it into production.

alyfilipe avatar May 31 '23 15:05 alyfilipe

At least I found a workaround for now.

Login to the Keycloak Admin Panel -> Head to the greenlight realm -> In the left sidebar, click "Authentication", select the "browser" login flow and set the first step called "Cookie" to "Disabled".

I don't know yet which side effects this settings might have but at least the logout now works for me.

drudgede avatar Jun 25 '23 14:06 drudgede

Thanks for sharing. The results of my testing indicate that after signing out and attempting to log in with a different account, the error shown in the following image appears. It seems that logging in with the same account is the only viable option. image_20231114_110519

tzengshinfu avatar Nov 14 '23 03:11 tzengshinfu

On https://demo.bigbluebutton.org/, I can do the following

  1. Sign in and authenticate with my gmail account.
    • I'm prompted to pick a gmail account and authenticate
  2. Signout of GreenLight
  3. Sign in again -- this time it bypassess the prompt for sign-in options and automatically logs me in

In step (3), I had expected to get prompted again for sign-in options, which suggests GreenLight is skipping this step and my session token was still valid.

I've found if I wait a bit -- some number of minutes -- and then try signing in again, I'm prompted again with the sign-in options.

I think signing out should invalidate any cookies or cache of the previous sign-in choice.

ffdixon avatar Nov 25 '23 15:11 ffdixon

I found that if I sign out the session of GreenLight V3 in the KeyCloak Administration Console, I also need to manually sign out in GreenLight; otherwise, it stays logged in.

PS: Checking the GreenLight documentation (https://docs.bigbluebutton.org/greenlight/v3/external-authentication), there is no mention of setting a Backchannel logout URL.

tzengshinfu avatar Nov 27 '23 08:11 tzengshinfu

~~You can disable cookie login for keycloak:~~

~~1. Login Keycloak greenlight realm as admin 2. Open your greenlight realm's authentication page (/keycloak/admin/master/console/#/greenlight/authentication/) 3. Select "Browser flow" (default "Browser flow" is Browser) 4. Disable cookie~~

Ekran görüntüsü 2024-02-29 164601

~~When cookie login disabled in keycloak user will not automatically login to greenlight everytime, and keycloak will require login everytime.~~

~~Greenlight to Keycloak logout in most case simple; disabling cookies solves the problem in most case.~~

For more complex cases:

With logout prompt: OPENID_CONNECT_LOGOUT_REDIRECT=https://bbbyourdomain/keycloak/realms/greenlight/protocol/openid-connect/logout?client_id=account

Without logout prompt(id_token_hint is required for auto logout): OPENID_CONNECT_LOGOUT_REDIRECT=https://bbbyourdomain/keycloak/realms/greenlight/protocol/openid-connect/logout?client_id=greenlight&id_token_hint=xxxxxxxxxxxxxxxxxx

I've found if I wait a bit -- some number of minutes -- and then try signing in again, I'm prompted again with the sign-in options.

"Realm settings" page "Sessions" tab "SSO Session Idle" and "SSO Session Max" can change required time to prompted again.

I found that if I sign out the session of GreenLight V3 in the KeyCloak Administration Console, I also need to manually sign out in GreenLight; otherwise, it stays logged in.

For keycloak to greenlight auto logout you have to adjust "Logout settings" of greenlight client.

not related to logout issue but OPENID_CONNECT_ROLE_FIELD was a very useful option. #5159

gopyns avatar Feb 29 '24 15:02 gopyns

You can disable cookie login for keycloak:

  1. Login Keycloak greenlight realm as admin
  2. Open your greenlight realm's authentication page (/keycloak/admin/master/console/#/greenlight/authentication/)
  3. Select "Browser flow" (default "Browser flow" is Browser)
  4. Disable cookie

Ekran görüntüsü 2024-02-29 164601

When cookie login disabled in keycloak user will not automatically login to greenlight everytime, and keycloak will require login everytime.

Greenlight to Keycloak logout in most case simple; disabling cookies solves the problem in most case.

For more complex cases:

With logout prompt: OPENID_CONNECT_LOGOUT_REDIRECT=https://bbbyourdomain/keycloak/realms/greenlight/protocol/openid-connect/logout?client_id=account

Without logout prompt(id_token_hint is required for auto logout): OPENID_CONNECT_LOGOUT_REDIRECT=https://bbbyourdomain/realms/personel/protocol/openid-connect/logout?client_id=greenlight&id_token_hint=xxxxxxxxxxxxxxxxxx

I've found if I wait a bit -- some number of minutes -- and then try signing in again, I'm prompted again with the sign-in options.

"Realm settings" page "Sessions" tab "SSO Session Idle" and "SSO Session Max" can change required time to prompted again.

I found that if I sign out the session of GreenLight V3 in the KeyCloak Administration Console, I also need to manually sign out in GreenLight; otherwise, it stays logged in.

For keycloak to greenlight auto logout you have to adjust "Logout settings" of greenlight client.

not related to logout issue but OPENID_CONNECT_ROLE_FIELD was a very useful option. #5159

Hi, gopyns, I cleared the browser's cookies and disabled cookies in the browser flow. Testing the same account to log out and log in again is normal, but switching to another account will display an error message and fail to log in.

tzengshinfu avatar Mar 01 '24 00:03 tzengshinfu

Hi, gopyns, I cleared the browser's cookies and disabled cookies in the browser flow. Testing the same account to log out and log in again is normal, but switching to another account will display an error message and fail to log in.

Yes, I tested with same account so I fail to notice, cookies of first user login stays on the browser.

Simplest solution will be setting session time to minimum(1 minute):

  • "Realm settings" page
    • "Sessions" tab
      • "SSO Session Idle" and/or "SSO Session Max" options

in /keycloak/admin/master/console/#/greenlight/realm-settings/sessions session

not a real solution but 1 minutes after you login your keycloak session will expire. Greenlight session stay till you logout. As long as user does not try to login with two different account in a minute this can solve the issue.

Adding OPENID_CONNECT_LOGOUT_REDIRECT variable can be the real solutions because it gives the required flexibility for different scenario. In my scenarios I try return user to keycloak user page then user can logout in keycloak separately.

Return to keycloak user page: OPENID_CONNECT_LOGOUT_REDIRECT=https://bbbyourdomain/keycloak/realms/greenlight/account/

With logout prompt: OPENID_CONNECT_LOGOUT_REDIRECT=https://bbbyourdomain/keycloak/realms/greenlight/protocol/openid-connect/logout?client_id=account

Without logout prompt(id_token_hint is required for auto logout): OPENID_CONNECT_LOGOUT_REDIRECT=https://bbbyourdomain/keycloak/realms/greenlight/protocol/openid-connect/logout?client_id=greenlight&id_token_hint={login_id_token_hint}

gopyns avatar Mar 01 '24 12:03 gopyns