Vault oidc/logout

Hi there,

I am using KeyCloak as my external Identity Provider, this allows users to login via OIDC.

The issue arises at the point of ending the user session.  Users are able to logout from Vault, however their KeyCloak session is unaltered.

Then when the user tries to re-authenticate, following the traditional re-direct flow, the expected challenge is skipped and the user is automatically logged in.  So far my work around has been to log into KeyCloak and terminate the user’s session locally - this is not be practical in a production environment.

Similarly, when the session is terminated in KeyCloak, Vault is not updated.

I have looked at the browser’s Dev console network tab.  My research suggests a ‘logout’ token should be passed to the identity provider but I haven’t seen that.

The usual flow of requests to Vault as I understand it from the Dev console is: health?.., seal-status

On logout this is interrupted briefly with mounts.

My goal is to end the OIDC session when the user logs out of Vault.  In a user management scenario, shouldn’t the session state synchronise between Vault and the Identity Provider?


This is thread is expressing the same issue. I am posting this link in the hope that it will garner more attention and promote the importance of this issue.