Incorrect oauth behaviour when logging out of keycloak

[druckreich]

• New feature request
• Bug
• Support request
• Documentation

Current behaviour:
It is not possible to log out of keycloak if an invalid user is created in acs or aps with @Alfresco@4.3.0

Expected behavior:
It should be possible to log out from keycloak even if the users in aps or acs do not exist or are invalid.

Steps to reproduce the issue:

• use oauth for authentication
• have a valid user in keycloak
• have NO valid user in aps

Component name and version:

The problem occurs on 2 levels.

First Problem

The first problem occurs after the login in keycloak was successful. Then as soon as i try to load the user from bpm i get a 401 response and the session is invalidated.

alfrescoApi.ts:197

errorHandler(error) {
    if (error.status === 401) {
        this.invalidateSession();
    }
    this.emit('error', error);
}

oAuth2Auth.ts:699

invalidateSession() {

    clearTimeout(this.refreshTokenTimeoutIframe);
    clearInterval(this.refreshTokenIntervalPolling);

    this.storage.removeItem('access_token');
    this.storage.removeItem('access_token_expires_in');
    this.storage.removeItem('access_token_stored_at');

    this.storage.removeItem('id_token');
    this.storage.removeItem('id_token');
    this.storage.removeItem('id_token_claims_obj');
    this.storage.removeItem('id_token_expires_at');
    this.storage.removeItem('id_token_stored_at');

    this.storage.removeItem('nonce');
}

The local storage is cleared from all authentication settings. Therefor the logout mechanism doesn't work at all since keycloak requires the id_token to logout

oAuth2Auth.ts:673

async logOut() {
    this.checkAccessToken = true;

    const id_token = this.getIdToken();

    this.invalidateSession();

    this.setToken(null, null);

    let separation = this.discovery.logoutUrl.indexOf('?') > -1 ? '&' : '?';

    let redirectLogout = this.config.oauth2.redirectUriLogout || this.config.oauth2.redirectUri;

    let logoutUrl = this.discovery.logoutUrl +
        separation +
        'post_logout_redirect_uri=' +
        encodeURIComponent(redirectLogout) +
        '&id_token_hint=' +
        encodeURIComponent(id_token);

    if (id_token != null && this.config.oauth2.implicitFlow && typeof window !== 'undefined') {
        window.location.href = logoutUrl;
    }

}

After i disabled the invalidation of the session the id_token was not deleted and the logout to keycloak works in theory.
Unfortunately, incorrect behaviour sometimes occurs nevertheless.

Second Problem

Sometimes the logout does not work at all. This part is a bit tricky.
After calling the code in

oAuth2Auth.ts:694

window.location.href = logoutUrl;

the browser is (sometimes) redirected to the app with the hash fragments created for the iframe.

oAuth2Auth.ts:355

composeIframeLoginUrl(): string {
    let nonce = this.genNonce();

    this.storage.setItem('refresh_nonce', nonce);

    let separation = this.discovery.loginUrl.indexOf('?') > -1 ? '&' : '?';

    return this.discovery.loginUrl +
        separation +
        'client_id=' +
        encodeURIComponent(this.config.oauth2.clientId) +
        '&redirect_uri=' +
        encodeURIComponent(this.config.oauth2.redirectSilentIframeUri) +
        '&scope=' +
        encodeURIComponent(this.config.oauth2.scope) +
        '&response_type=' +
        encodeURIComponent('id_token token') +
        '&nonce=' +
        encodeURIComponent(nonce) +
        '&prompt=none';
}

With the redirect to my app with the hash fragments i am logged in again.

So i had the situation where i could not logout from the app at all.

Browser and version:
I could not reproduce the behaviour every time - it acts like a race condition.
It seems to happen more often in firefox than in chrome and more often if the dev console is open.

Node version (for build issues):
14.15.3

[druckreich]

The problem persists with version @Alfresco@4.7.0

[eromano]

why the user is not in APS?

[druckreich]

Hello, the user is not synchronised from ldap because he does not have the required rights but he can log in via keycloak.