Description

When working on #43256, now all session expiry is handled by an event.
This is blocking #38108.

There are still some situations where no event is created, and this enhancement will handle those:

• An Authentication Session is started, but the user is now blocked
  

  keycloak/services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java

  Line 193 in a2c1055

  AuthenticationManager.backchannelLogout(session, userSession, true);

• An login action is restarted (?)

  keycloak/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java

  Lines 256 to 261 in a2c1055

  	UserSessionModel userSession = new AuthenticationSessionManager(session).getUserSession(authSession);
  	if (userSession != null) {
  	logger.debugf("Logout of user session %s when restarting flow during re-authentication", userSession.getId());
  	AuthenticationManager.backchannelLogout(session, userSession, false);
  	authSession = AuthenticationProcessor.recreate(session, authSession);
  	}

• Delete session by an admin (already creates a Admin event, might be fine for the workflow, but not ideal for tracking it from a user's perspective)
  

  keycloak/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java

  Lines 735 to 747 in a2c1055

  	public void deleteSession(@PathParam("session") String sessionId, @DefaultValue("false") @QueryParam("isOffline") boolean offline) {
  	auth.users().requireManage();
  	UserSessionModel userSession = offline ? session.sessions().getOfflineUserSession(realm, sessionId) : session.sessions().getUserSession(realm, sessionId);
  	if (userSession == null) {
  	throw new NotFoundException("Sesssion not found");
  	}
  	AuthenticationManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), connection, headers, true);
  	Map<String, Object> eventRep = new HashMap<>();
  	eventRep.put("offline", offline);
  	adminEvent.operation(OperationType.DELETE).resource(ResourceType.USER_SESSION).resourcePath(session.getContext().getUri()).representation(eventRep).success();

• Deleting all sessions in a realm (already creates an admin event, but might not be enough for the workflow? Also not ideal for auditing)
  

  keycloak/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java

  Lines 711 to 718 in a2c1055

  	public GlobalRequestResult logoutAll() {
  	auth.users().requireManage();
  	session.sessions().removeUserSessions(realm);
  	GlobalRequestResult result = new ResourceAdminManager(session).logoutAll(realm);
  	adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(result).success();
  	return result;
  	}

Value Proposition

Once all removal of sessions create an event, the workflow functionality can then use those events to trigger a timed expiry or deletion of the user

Goals

• All user triggered situations should create a LOGOUT event
• All admin triggered situations should create a USER_SESSION_DELETED user event (to be confirmed)

Non-Goals

• Triggering backchannel logouts where we are currently not triggering backchannel logouts

Discussion

No response

Notes

No response