Skip to content

OAuth2: regular sso session never created on idp keycloak #30206

New issue
New issue
Open
#30254
Open
OAuth2: regular sso session never created on idp keycloak#30206
#30254
Labels
$$ bug-bounty $$https://www.jhipster.tech/bug-bounties/$200https://www.jhipster.tech/bug-bounties/area: triagetheme: OIDC/OAuth2theme: keycloaktheme: undefined
@ldaloia-dev

Description

@ldaloia-dev
ldaloia-dev
opened on Jul 27, 2025
Overview of the issue

From keycloak 26.1.0 there is a breaking change

keycloak/keycloak#36921

When requesting the offline_access scope during browser login flow, it seems that only an offline session is established.

Motivation for or Use Case

This prevents SSO redirect to a client if the user has previously authenticated in the browser.
Futhermore logout flow can't never expire a regular sso session because it does not exists on idp.

[org.keycloak.events] (executor-thread-14) type="LOGOUT_ERROR", realmId="jhipster", realmName="jhipster", clientId="web_app", userId="null", ipAddress="172.18.0.1", error="session_expired"

Reproduce the error

With default settings (gateway oauth2)

  • login in the web app
  • in keycloak console an offline session is created but no session sso is present
Related issues
Suggest a Fix

offline_access scope should be not be a predefined scope on application.yml and should be removed

scope: openid, profile, email, offline_access # last one for refresh tokens
Keycloak will give for public clients an access/refresh token and the framework should use the standard refresh_token (requested without offline_access) to keep user session "alive"
If offline_access is in the scope, every time the user logs in and out, a new offline session is created, and over time there will be multiple offline sessions that are never used. The offline_access scope should only be requested for long-running processes or for operations that need to continue when the user is not online, but it should not be requested by default for normal web app usage

JHipster Version(s)

8.11.0

Browsers and Operating System
  • Tickets opened without reproduction steps or that doesn't follows the template recommendation will be closed.
  • This issue is prompt-related or an error that prevents JHipster from generating an application.
  • I don't have a JDL otherwise I should open an JDL Issue
  • The application is not successfully generated otherwise, I should open an Issue with jhipster info
  • Checking this box is mandatory (this is just to show you read everything)

Metadata

Metadata

Assignees

No one assigned

    Labels

    $$ bug-bounty $$https://www.jhipster.tech/bug-bounties/$200https://www.jhipster.tech/bug-bounties/area: triagetheme: OIDC/OAuth2theme: keycloaktheme: undefined

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions