Re: [PR] [#10436] fix(web-v2,server): resolve identity mismatch between UI and server [gravitino]

Mon, 16 Mar 2026 00:57:10 -0700 


gada121982 commented on code in PR #10437:
URL: https://github.com/apache/gravitino/pull/10437#discussion_r2938711698


##########
web-v2/web/src/lib/store/auth/index.js:
##########
@@ -102,8 +102,32 @@ export const logoutAction = 
createAsyncThunk('auth/logoutAction', async ({ route
     try {
       const provider = await oauthProviderFactory.getProvider()
       if (provider) {
+        // For OIDC providers, use signoutRedirect to end Keycloak session
+        if (provider.getUserManager) {
+          const userManager = provider.getUserManager()
+          if (userManager) {
+            // Clear legacy auth tokens before redirect
+            localStorage.removeItem('accessToken')
+            localStorage.removeItem('authParams')
+            localStorage.removeItem('expiredIn')
+            localStorage.removeItem('isIdle')
+            localStorage.removeItem('version')
+
+            dispatch(clearIntervalId())
+            dispatch(setAuthToken(''))
+
+            // Redirect to IdP logout endpoint — this will navigate away from 
the app
+            // signoutRedirect() must be called before clearAuthData() because 
it needs
+            // the stored id_token for the id_token_hint parameter in 
RP-initiated logout
+            await userManager.signoutRedirect()
+
+            await provider.clearAuthData()
+
+            return { token: null }
+          }
+        }
+
         await provider.clearAuthData()

Review Comment:
   `signoutRedirect()` needs the stored `id_token` to build the `id_token_hint` 
parameter for the IdP logout URL. If `clearAuthData()` (which calls 
`removeUser()`) runs first, the user data is deleted from localStorage — then 
`signoutRedirect()` has no `id_token_hint` to send, and the IdP may not 
properly terminate the SSO session.
   
   Flow:
   1. `signoutRedirect()` — reads `id_token` from store → redirects to 
`{authority}/protocol/openid-connect/logout?id_token_hint=...`
   2. `clearAuthData()` — calls `removeUser()` to clean up local storage
   
   If reversed, the IdP logout becomes unreliable (no `id_token_hint` → 
Keycloak may keep the SSO session alive, causing auto-login on next visit).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to