keycloak: do not invalidate session without refresh_token

if there are multiple sessions for the same user (i.e. with different scopes) we only get the refresh_token for the first established one and we cannot invalidate it on first logout, so let's keep keycloak session active until the one that established it first logs out
oVirt · Oct 5, 2022 · 28a45b1 · 28a45b1
1 parent 7b26899
commit 28a45b1
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/...odules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java b/...odules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java
@@ -66,9 +66,10 @@ public static void cleanupSsoSession(
                 }
             }
             if (ssoContext.getSsoLocalConfig().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO")) {
-                log.debug("Existing Session found for token: {}, invalidating session on external OP",
-                        ssoSession.getAccessToken());
-                ExternalOIDCService.logout(ssoContext, refreshToken);
+                log.debug("invalidating session on external OP, refreshToken: {}", refreshToken);
+                if (refreshToken != null) {
+                    ExternalOIDCService.logout(ssoContext, refreshToken);
+                }
             }
             invokeAuthnLogout(ssoContext, ssoSession);
             SsoService.notifyClientsOfLogoutEvent(ssoContext,