8000 Front logout channel broken in 26.2.5 for saml · Issue #40637 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Front logout channel broken in 26.2.5 for saml #40637
New issue
New issue
Closed
#40757
Closed
Front logout channel broken in 26.2.5 for saml#40637
#40757
Copy link
Assignees
rmartinc
Labels
area/samlIndicates an issue on SAML areakind/bugCategorizes a PR related to a bugpriority/normalrelease/26.2.6release/26.3.0team/core-clients
@oculos

Description

@oculos
oculos
opened on Jun 20, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

saml

Describe the bug

We were using Keycloak and upgrading Keycloak regularly until version 26.1.3 and Front logout channel was working great so far.
After upgrading to 26.2.5, something broke Front logout channel for us.

I log in Application A.
I then log in to Application B.
If I click logout on Application B, it will try to log out from Application A, and fail.

In one of our applications, the message the application gave was:

**PEM_read_bio_X509: no start line (Expecting: CERTIFICATE)**

On another application, the log line was

2025-06-20 13:24:28,268 DEBUG [web.AUTH_DEBUG dispatcherServlet.766] - [2001:730:130:8071::53] - request-URI: /vrtx/__vrtx/app-resources/saml/sp - Failed to inflate SAML response
java.util.zip.ZipException: invalid code lengths set
	at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:182) ~[?:?]
	at vtk.util.io.IO$ReadBase.readInputStream(IO.java:339) ~[vtk-core-2025.SAMLDEBUG1-SNAPSHOT.jar!/:?]
	at vtk.util.io.IO$1.perform(IO.java:568) ~[vtk-core-2025.SAMLDEBUG1-SNAPSHOT.jar!/:?]
	at vtk.util.io.IO$1.perform(IO.java:565) ~[vtk-core-2025.SAMLDEBUG1-SNAPSHOT.jar!/:?]
	at vtk.auth.saml.SamlService.inflate(SamlService.java:1087) ~[vtk-core-2025.SAMLDEBUG1-SNAPSHOT.jar!/:?]
(...)

amd sometimes:

025-06-19 11:23:30,470 DEBUG [web.AUTH_DEBUG dispatcherServlet.468] - [2001:730:130:8071::53] - request-URI: /vrtx/__vrtx/app-resources/saml/sp - Failed to unmarshall SAML request
org.xml.sax.SAXParseException: Invalid byte 1 of 1-byte UTF-8 sequence.

and

2025-06-19 11:34:11,571 TRACE [web.AUTH_DEBUG dispatcherServlet.1863] - Unmarshall: failed to parse XML: �Rˊ�0����l��X$��P0L��f�*#�%UWn���c�L
                                                                                                                                             -]    �{^��r�xtW7���}���8X��H�`��hPX9�؋����"K���E׻�l���%"�h�%��[r��+�ˑ���Q���v�R�    F���+z���C2�X����!���M�L�)z��NGҝ�x�r]Q�uM�>khShE�¤*�7��Ɉt���H2���U�7_X#�Bp��Y ��o��!}��,>�[�N�.�2�}}<�+b�+UL=�F_S6�-ŋ'��}g��F�{�I�
jN��W��*�{(.�Ҭ���
                 ʾ��h͸�E]6�R��b5˪|_3UoY�ؿ�����'

I am not sure if this has something to do with some saml bugfixes regarding signatures, but it simply stopped working after upgrading.

Version

26.2.5

Regression

  • The issue is a regression

Expected behavior

Being able to log out from all applications via front channel logout in SAML.

Actual behavior

Applications are somehow refusing to logout and throwing different errors.

How to Reproduce?

Have saml clients configured with front channel logout
Log in one of them
Log in the second
Log out on the second
You'll get an error from the first one.

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/samlIndicates an issue on SAML areakind/bugCategorizes a PR related to a bugpriority/normalrelease/26.2.6release/26.3.0team/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0