ovirt-engine
ovirt-engine copied to clipboard
oVirt
Logout from Keycloak does not work
When logging out from the Keycloak, the following message is logged in the engine.log:
Unable to logout of external OIDC OAuthException: Invalid refresh token
2022-09-21 08:57:32,665Z DEBUG [org.ovirt.engine.core.sso.service.ExternalOIDCService] (default task-1) [] Exception: org.ovirt.engine.core.sso.api.OAuthException: Invalid refresh token
at deployment.engine.ear.enginesso.war//org.ovirt.engine.core.sso.service.ExternalOIDCService.logout(ExternalOIDCService.java:327)
at deployment.engine.ear.enginesso.war//org.ovirt.engine.core.sso.service.TokenCleanupService.cleanupSsoSession(TokenCleanupService.java:70)
at deployment.engine.ear.enginesso.war//org.ovirt.engine.core.sso.servlets.OAuthRevokeServlet.service(OAuthRevokeServlet.java:62)
at [email protected]//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
From the Keycloak logs:
Failed to decode token: org.keycloak.jose.jws.JWSInputException: java.lang.IllegalArgumentException: Parsing error
at [email protected]//org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:59)
at [email protected]//org.keycloak.jose.jws.DefaultTokenManager.decode(DefaultTokenManager.java:93)
at [email protected]//org.keycloak.protocol.oidc.TokenManager.toRefreshToken(TokenManager.java:498)
at [email protected]//org.keycloak.protocol.oidc.TokenManager.verifyRefreshToken(TokenManager.java:464)
at [email protected]//org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logoutToken(LogoutEndpoint.java:247)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
During some debugging I've found out that ExternalOIDCService.logout tries to set the refresh_token, however, the refresh_token is null. It is not received in the login in NegotiateAuthService in the first place.
From the Keycloak's source code it seems the refresh_token is some kind of legacy endpoint
https://github.com/keycloak/keycloak/blob/fa383bf76ca3581f271653deccc159123bec00f3/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L342
Note that except for the interactive login, that doesn't contain refresh_token, there is also a periodic non interactive login performed, that calls ExternalOIDCService.login and the refresh token is present in that session.
