alma/NeahNew
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
43be7a99d2
NeahNew/IFRAME_LOGOUT_FIX.md
alma ca93d6a3b2 improve sso login flow
2026-01-01 18:52:01 +01:00

2.7 KiB
Raw Blame History

Iframe Logout Session Invalidation Fix

Problem

When a user logs out from an application inside an iframe:

  1. The iframe application calls Keycloak logout endpoint
  2. Keycloak session is invalidated
  3. NextAuth dashboard still has a valid JWT token
  4. When NextAuth tries to refresh the token, Keycloak returns: { error: 'invalid_grant', error_description: 'Session not active' }
  5. This causes a JWT_SESSION_ERROR and the user sees errors but isn't automatically signed out

Root Cause

The refreshAccessToken function was catching all errors generically and setting error: "RefreshAccessTokenError". When the session callback received this error, it would throw, causing a JWT_SESSION_ERROR but not properly signing the user out.

Solution

1. Detect Session Invalidation

In refreshAccessToken, we now specifically detect when Keycloak returns invalid_grant with "Session not active":

if (refreshedTokens.error === 'invalid_grant' || 
    refreshedTokens.error_description?.includes('Session not active') ||
    refreshedTokens.error_description?.includes('Token is not active')) {
  return {
    ...token,
    error: "SessionNotActive",
  };
}

2. Clear Tokens in JWT Callback

When we detect SessionNotActive, we clear the tokens in the JWT callback:

if (refreshedToken.error === "SessionNotActive") {
  return {
    ...refreshedToken,
    accessToken: undefined,
    refreshToken: undefined,
    idToken: undefined,
  };
}

3. Return Null in Session Callback

When tokens are missing or session is invalidated, the session callback returns null, which makes NextAuth treat the user as unauthenticated:

if (token.error === "SessionNotActive" || !token.accessToken) {
  return null as any; // NextAuth will treat user as unauthenticated
}

Result

Now when a user logs out from an iframe application:

  1. Keycloak session is invalidated
  2. NextAuth detects the invalid session on next token refresh
  3. Tokens are cleared
  4. Session callback returns null
  5. User is automatically treated as unauthenticated
  6. NextAuth redirects to sign-in page (via AuthCheck component)

Files Modified

  • app/api/auth/options.ts:
    • Enhanced refreshAccessToken to detect invalid_grant errors
    • Clear tokens when session is invalidated
    • Return null from session callback when session is invalid

Testing

To test this fix:

  1. Log in to the dashboard
  2. Open an iframe application
  3. Log out from the iframe application
  4. Wait for NextAuth to try to refresh the token (or trigger a page refresh)
  5. User should be automatically signed out and redirected to sign-in

Date: 2024
Status: Fixed
Version: 1.0