Hi,

we are facing strange logout behavior with a client service (eduVPN) based on the mod_auth_openidc Apache module and “cascading”/brokering realms. The logout reaches the brokering realm only in certain cases when the account console is open in another tab.

Our setup looks as follows:

We have configured backchannel logout everywhere (but we also tried switching to frontchannel logout without making any difference).

• Keycloak version 26.5.5 (problem persists at least since 26.5.3)
• custom login theme
• no plugins

Problem description:

When logging out of the client app, we are immediately re-authenticated except when the account console of the sub-Realm is open in another tab. Only in this case, the logout is successful and persistent. In any case a REVOKE_GRANT_ERROR is logged right after a successful REVOKE_GRANT event. In the following, I can provide screenshots of the event log in the case of unsuccessful logout:

With unfolded event descriptions it looks like this:

What we already tried:

We have configured other clients in the sub-Realm which do log out successfully. However, with those clients there are no REVOKE_GRANT events.

We have also moved the client to the main-Realm which leads to successful logouts, however, there are still REVOKE_GRANT_ERRORs and LOGOUT_ERRORs in the event log. Screenshot of this look as follows:

With unfolded descriptions:

As can be seen, the main difference is that there are no immediate LOGIN and CODE_TO_TOKEN events after logout.

My questions:

1. Does anyone have a solution to this problem?
2. Can anyone point me to descriptions of how these events work? Especially the REVOKE_GRANT event followed immediately by a REVOKE_GRANT_ERROR makes me suspicious that there might be some kind of double revocation producing these strange side-effects.
3. Can anyone explain, why the logout is successful if the account console of the sub-realm is open in another tab?