Content
View differences
Updated by Jan Sandbrink 10 months ago
**As** an administrator,
**I want** OpenProject ### Steps to support reproduce
_Please write down the steps to reproduce. Try to write down all necessary preconditions (what permissions do you have, are other users involved?). Example:_
1. Have a keycloak OIDC integration with OpenProject with backchannel logout with no session indicated by enabled
2. Log in the logout token,
**so that** it's possible to implement a "logout user multiple times in OpenProject (e.g., through two browsers)
3. Observe two sessions being shown in keycloak
4. Click "Logout all sessions" functionality from an identity provider. for the given user in keycloak
### Acceptance criteria
This feature request What is about correct API/specification behaviour, so indicating "user facing" behaviour is hard. the buggy behavior?
As of writing this ticket, _Please describe the following observable behaviours should be true: bug with as most details as possible. Example:_
* When Keycloak's client setting "Backchannel Only one of the sessions will be invalidated, as the logout session required" is set token maps to **"On"**, OpenProject only logs out **a single session** when one of the provided `SID` values that we store a user logs out from Keycloak
* When Keycloak's client setting "Backchannel logout session required" for
### What is set to **"Off"**, OpenProject logs out **all sessions of the user** when a user logs out from Keycloak
###
###
###
### Technical notes expected behavior?
* The changes _Describe how the application should be compatible to [https://openid.net/specs/openid-connect-backchannel-1\_0.html#LogoutToken](https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken)
* Logging out a user via backchannel logout **without** a session identifier (`sid`) should logout **all** behave like. Example:_
1. Both sessions of that user
* Logging out a user via backchannel logout **with** a session identifier (`sid`) should logout **only** that session
be terminated as they are removed
### Related links Additional information
Keycloak is currently not capable of distinguishing between logging out only sends a single session or many sessions. This is documented in [https://github.com/keycloak/keycloak/issues/27359](https://github.com/keycloak/keycloak/issues/27359). backchannel logout request for one of the active SIDs. There appears to be no way of identifying whether multiple sessions are to be invalidated
**I want** OpenProject
_Please write down the steps to reproduce. Try to write down all necessary preconditions (what permissions do you have, are other users involved?). Example:_
1. Have a keycloak
2. Log in
**so that** it's possible to implement a "logout
3. Observe two sessions being shown in keycloak
4. Click "Logout
### Acceptance criteria
This feature request
As of writing this ticket,
* When Keycloak's client setting "Backchannel
* When Keycloak's client setting "Backchannel logout session required"
### What
###
###
###
### Technical notes
* The changes
* Logging out a user via backchannel logout **without** a session identifier (`sid`) should logout **all**
1. Both
* Logging out a user via backchannel logout **with** a session identifier (`sid`) should logout **only** that session
Keycloak is currently not capable of distinguishing between logging out