90 lines
2.7 KiB
Markdown
90 lines
2.7 KiB
Markdown
# Iframe Logout Session Invalidation Fix
|
|
|
|
## Problem
|
|
|
|
When a user logs out from an application inside an iframe:
|
|
1. The iframe application calls Keycloak logout endpoint
|
|
2. Keycloak session is invalidated
|
|
3. NextAuth dashboard still has a valid JWT token
|
|
4. When NextAuth tries to refresh the token, Keycloak returns: `{ error: 'invalid_grant', error_description: 'Session not active' }`
|
|
5. This causes a `JWT_SESSION_ERROR` and the user sees errors but isn't automatically signed out
|
|
|
|
## Root Cause
|
|
|
|
The `refreshAccessToken` function was catching all errors generically and setting `error: "RefreshAccessTokenError"`. When the session callback received this error, it would throw, causing a JWT_SESSION_ERROR but not properly signing the user out.
|
|
|
|
## Solution
|
|
|
|
### 1. Detect Session Invalidation
|
|
|
|
In `refreshAccessToken`, we now specifically detect when Keycloak returns `invalid_grant` with "Session not active":
|
|
|
|
```typescript
|
|
if (refreshedTokens.error === 'invalid_grant' ||
|
|
refreshedTokens.error_description?.includes('Session not active') ||
|
|
refreshedTokens.error_description?.includes('Token is not active')) {
|
|
return {
|
|
...token,
|
|
error: "SessionNotActive",
|
|
};
|
|
}
|
|
```
|
|
|
|
### 2. Clear Tokens in JWT Callback
|
|
|
|
When we detect `SessionNotActive`, we clear the tokens in the JWT callback:
|
|
|
|
```typescript
|
|
if (refreshedToken.error === "SessionNotActive") {
|
|
return {
|
|
...refreshedToken,
|
|
accessToken: undefined,
|
|
refreshToken: undefined,
|
|
idToken: undefined,
|
|
};
|
|
}
|
|
```
|
|
|
|
### 3. Return Null in Session Callback
|
|
|
|
When tokens are missing or session is invalidated, the session callback returns `null`, which makes NextAuth treat the user as unauthenticated:
|
|
|
|
```typescript
|
|
if (token.error === "SessionNotActive" || !token.accessToken) {
|
|
return null as any; // NextAuth will treat user as unauthenticated
|
|
}
|
|
```
|
|
|
|
## Result
|
|
|
|
Now when a user logs out from an iframe application:
|
|
1. Keycloak session is invalidated
|
|
2. NextAuth detects the invalid session on next token refresh
|
|
3. Tokens are cleared
|
|
4. Session callback returns null
|
|
5. User is automatically treated as unauthenticated
|
|
6. NextAuth redirects to sign-in page (via AuthCheck component)
|
|
|
|
## Files Modified
|
|
|
|
- `app/api/auth/options.ts`:
|
|
- Enhanced `refreshAccessToken` to detect `invalid_grant` errors
|
|
- Clear tokens when session is invalidated
|
|
- Return null from session callback when session is invalid
|
|
|
|
## Testing
|
|
|
|
To test this fix:
|
|
1. Log in to the dashboard
|
|
2. Open an iframe application
|
|
3. Log out from the iframe application
|
|
4. Wait for NextAuth to try to refresh the token (or trigger a page refresh)
|
|
5. User should be automatically signed out and redirected to sign-in
|
|
|
|
---
|
|
|
|
**Date**: 2024
|
|
**Status**: ✅ Fixed
|
|
**Version**: 1.0
|
|
|