Vault oidc/logout

sf-greensill · August 17, 2020, 8:16am

Hi there,

I am using KeyCloak as my external Identity Provider, this allows users to login via OIDC.

The issue arises at the point of ending the user session. Users are able to logout from Vault, however their KeyCloak session is unaltered.

Then when the user tries to re-authenticate, following the traditional re-direct flow, the expected challenge is skipped and the user is automatically logged in. So far my work around has been to log into KeyCloak and terminate the user’s session locally - this is not be practical in a production environment.

Similarly, when the session is terminated in KeyCloak, Vault is not updated.

I have looked at the browser’s Dev console network tab. My research suggests a ‘logout’ token should be passed to the identity provider but I haven’t seen that.

The usual flow of requests to Vault as I understand it from the Dev console is: health?.., seal-status

On logout this is interrupted briefly with mounts.

My goal is to end the OIDC session when the user logs out of Vault. In a user management scenario, shouldn’t the session state synchronise between Vault and the Identity Provider?

–
Stephen.

sf-greensill · August 24, 2020, 8:16am

This is thread is expressing the same issue. I am posting this link in the hope that it will garner more attention and promote the importance of this issue.

bonareal · January 2, 2022, 5:17pm

Hi @sf-greensill , Happy New year!!

Maybe you already have a solution for your issue, because I have the same.

Thanks a lot, waiting for your feedback.

bonareal · January 3, 2022, 8:27am

Hi Stephen,
I found a solution.
It’s Not a Bug, It’s a Feature !!!

Have a good week.

mchsm · June 13, 2023, 2:07pm

Hi. I am still seeing this issue. I don’t believe it is a feature, it should be real issue.

I configured vault with oidc Azure. And after I logout from vault, I am still able to login to vault without getting prompted by identity/password challenge.

Please take a good example on grafana. I configured oauth Azure in grafana. In grafana, I am able to login and then fully logout from grafana.

After I logout from grafana, I will be prompted back the Azure login screen when I attempt to login back to the grafana.

mchsm · June 13, 2023, 2:08pm

To note, the vault I am using is version 1.10.4

mchsm · June 13, 2023, 2:13pm

And to note again, grafana has config so called “signout_redirect_url” that will serve as a hook to trigger Azure/keycloak to perform logout on their side

github.com/grafana/grafana

Login details persist after signout

opened 12:49PM - 22 Nov 18 UTC

closed 02:24PM - 22 Nov 18 UTC

yesoreyeram

type/question

What Grafana version are you using? - 5.2.3 What OS are you running grafana on?… - Ubuntu 16.04 I am using "Generic Oauth / Azure active directory" as a login provider in grafana V5.2.3. Steps: 1. Open https://mygrafana.com/ in browser incognito mode 2. Click "Login with Azure AD" button 3. Above action takes me microsoft login page and signed in 4. Above action landed me in https://mygrafana.com/ 5. Click Signout button in Grafana. 6. Above action took me to the Login page. 7. Click "Login with Azure AD" button again. 8. Instead of going to microsoft login page, I was landed directly into Grafana. Is this the expected behaviour of Grafana to remember the user details even after signout?

evsasha · January 21, 2025, 4:00pm

The year is 2025. The problem remains unresolved.

As a workaround, you can manually log out by following this link (example for Keycloak):
https://KEYCLOAK_HOST/realms/KEYCLOAK_REALM/protocol/openid-connect/logout

Topic		Replies	Views
Improper Logout Functionality from the Vault UI Vault	0	393	April 24, 2020
OIDC error: «Vault login failed. Expired or missing OAuth state» Vault	3	824	March 27, 2024
HCSEC-2021-19 - Vault’s UI Cached User-Viewed Secrets Between Shared Browser Sessions Security security-vault	0	7829	August 12, 2021
Error Authenticating: Unable to authorize role OIDC Vault vault	11	13094	July 14, 2020
Vault CLI OIDC login - prevent browser popup? Vault vault	1	701	October 9, 2022

Vault oidc/logout

Related topics