Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Ensure that all removed and logged out user sessions are tracked by an event #44564

New issue
New issue
Open
enhancement
2 of 4 issues completed
Open
Ensure that all removed and logged out user sessions are tracked by an event#44564
enhancement
2 of 4 issues completed
Labels
kind/enhancementCategorizes a PR related to an enhancementstatus/triageteam/core-iam
Milestone
26.7.0
@ahus1

Description

@ahus1
ahus1
opened on Nov 28, 2025

Description

When working on #43256, now all session expiry is handled by an event.
This is blocking #38108.

There are still some situations where no event is created, and this enhancement will handle those:

  • Delete session by an admin (already creates a Admin event, might be fine for the workflow, but not ideal for tracking it from a user's perspective)

    keycloak/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java

    Lines 735 to 747 in a2c1055

    public void deleteSession(@PathParam("session") String sessionId, @DefaultValue("false") @QueryParam("isOffline") boolean offline) {
    auth.users().requireManage();
    UserSessionModel userSession = offline ? session.sessions().getOfflineUserSession(realm, sessionId) : session.sessions().getUserSession(realm, sessionId);
    if (userSession == null) {
    throw new NotFoundException("Sesssion not found");
    }
    AuthenticationManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), connection, headers, true);
    Map<String, Object> eventRep = new HashMap<>();
    eventRep.put("offline", offline);
    adminEvent.operation(OperationType.DELETE).resource(ResourceType.USER_SESSION).resourcePath(session.getContext().getUri()).representation(eventRep).success();

  • Deleting all sessions in a realm (already creates an admin event, but might not be enough for the workflow? Also not ideal for auditing)

    keycloak/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java

    Lines 711 to 718 in a2c1055

    public GlobalRequestResult logoutAll() {
    auth.users().requireManage();
    session.sessions().removeUserSessions(realm);
    GlobalRequestResult result = new ResourceAdminManager(session).logoutAll(realm);
    adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(result).success();
    return result;
    }

Value Proposition

Once all removal of sessions create an event, the workflow functionality can then use those events to trigger a timed expiry or deletion of the user

Goals

  • All user triggered situations should create a LOGOUT event
  • All admin triggered situations should create a USER_SESSION_DELETED user event (to be confirmed)

Non-Goals

  • Triggering backchannel logouts where we are currently not triggering backchannel logouts

Discussion

No response

Notes

No response

Sub-issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementCategorizes a PR related to an enhancementstatus/triageteam/core-iam

    Type

    enhancement

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions