OIDC RP-Initiated Logout in WF40: library behavior at default stability, config at preview
37 views
Skip to first unread message
jpu...@noverant.com
May 28, 2026, 12:16:50 PM (14 days ago) May 28
to WildFly
Hi all,
While upgrading an EE 10 app from WF39 to WF40, I ran into what looks like a stability-level mismatch in the elytron-oidc-client.
Short version: LogoutHandler.tryLogout in wildfly-elytron 2.9.1 intercepts any authenticated request whose path ends in /logout (the default for logout-path) and 302s the browser to Keycloak's end_session_endpoint with only id_token_hint. No opt-in. Meanwhile every attribute that would let me set post_logout_redirect_uri (or any of the other logout knobs) is Stability.PREVIEW in SecureDeploymentDefinition, so adding it to oidc.json fails the PARSE phase with WFLYOIDC0009. The net effect for the user is being stranded on Keycloak's "You are logged out" page with no path back into the app, and the only ways out are --stability=preview (one-way-ish, enables every other preview feature) or hand-rolling the logout redirect in app code.
Before I open a JIRA, I want to sanity-check two things:
1. Is the stability split intentional? My read is that the front-channel attrs (POST_LOGOUT_REDIRECT_URI, LOGOUT_PATH, LOGOUT_SESSION_REQUIRED) could safely move to default since their behavior already runs at default, while LOGOUT_CALLBACK_PATH and BACK_CHANNEL_LOGOUT_SESSION_INVALIDATION_LIMIT may need to stay at preview while back-channel work stabilizes.
2. Is there an existing JIRA or planned change I'd be duplicating? I checked code at the 40.0.0.Final and 2.9.1.Final tags but didn't dig the issue tracker.
Happy to file a WFLY issue (and a linked ELY one for the library default) with the source pointers and reproduction steps once I know I'm not stepping on existing work.
Thanks,
Jonathan Putney
While upgrading an EE 10 app from WF39 to WF40, I ran into what looks like a stability-level mismatch in the elytron-oidc-client.
Short version: LogoutHandler.tryLogout in wildfly-elytron 2.9.1 intercepts any authenticated request whose path ends in /logout (the default for logout-path) and 302s the browser to Keycloak's end_session_endpoint with only id_token_hint. No opt-in. Meanwhile every attribute that would let me set post_logout_redirect_uri (or any of the other logout knobs) is Stability.PREVIEW in SecureDeploymentDefinition, so adding it to oidc.json fails the PARSE phase with WFLYOIDC0009. The net effect for the user is being stranded on Keycloak's "You are logged out" page with no path back into the app, and the only ways out are --stability=preview (one-way-ish, enables every other preview feature) or hand-rolling the logout redirect in app code.
Before I open a JIRA, I want to sanity-check two things:
1. Is the stability split intentional? My read is that the front-channel attrs (POST_LOGOUT_REDIRECT_URI, LOGOUT_PATH, LOGOUT_SESSION_REQUIRED) could safely move to default since their behavior already runs at default, while LOGOUT_CALLBACK_PATH and BACK_CHANNEL_LOGOUT_SESSION_INVALIDATION_LIMIT may need to stay at preview while back-channel work stabilizes.
2. Is there an existing JIRA or planned change I'd be duplicating? I checked code at the 40.0.0.Final and 2.9.1.Final tags but didn't dig the issue tracker.
Happy to file a WFLY issue (and a linked ELY one for the library default) with the source pointers and reproduction steps once I know I'm not stepping on existing work.
Thanks,
Jonathan Putney
Darran Lofthouse
May 28, 2026, 12:22:14 PM (14 days ago) May 28
to WildFly
If you can please raise a Jira issue, we are planning the fixes needed for WildFly 40.0.1 which has a very short interval so if we can get an issue raised we can consider this one.
jpu...@noverant.com
May 28, 2026, 1:56:54 PM (14 days ago) May 28
to WildFly
I'm trying to get into the JIRA to create the ticket, but it looks like I'm running into the same access issues as others have. My account doesn't seem to have access anymore. I've sent an email to try and get access, but I'm also happy to post my write-up here if you want to get the ticket in sooner? Just let me know. Thanks!
jpu...@noverant.com
May 28, 2026, 2:20:00 PM (14 days ago) May 28
to WildFly
Never mind, I was finally able to get in. Submitting now.
jpu...@noverant.com
May 28, 2026, 3:15:49 PM (14 days ago) May 28
to WildFly
Here's the issue: https://redhat.atlassian.net/browse/WFLY-21951
Reply all
Reply to author
Forward
0 new messages