Can you please provide more details ?

• regression or new setup ?
• version of jenkins and plugin ?
• mono instance ?
• oidc provider ?
• which fields do you use in config ?

The logout of the user is handled by Jenkins itself, I ll check what how we can end up in this situation (sessions were changed recently so it may be a side effect)

I think I understand. When you login in the third step it redirects you to the logout landing page because it is the page you login from.

It is the expected behavior but indeed a bit misleading :D

I ll make a fix in the redirect to redirect to the root url if the redirect url is the logout landing page.

@tuxmaster5000 Can you confirm that if you go to another page before logging back, you don t have this message ?

@michael-doubez ,
before I switched to OpenIDC the system was using ldap before for the user authorisation.
Versions:
Jenkins: 2.453
Add-on: 4.239.v325750a_96f3b_
What do you mean with mono instance? cluster/stand alone? It is an single installation.
oidc provider: Keycloak 24.0.2
Config:
User name field name -> preferred_username
Groups field name -> realm_access.roles[].name
Post logout redirect URL -> Main company page
Enable the 'escape" config in case OpenID will not work.
The other fields are default.

I click on logout, then the first picture will shown, and I have the Login button again.
(On the IDP side I see, that the session is still valid.) When I now click on login again, the second picture will be presented.

When you login, the plugin redirects you to the page you started from. So when you login from the logout page it displays it but the page logic expects you to be logged out. That s why you have this message.

I ll change the login logic to redirect to root url in this specific case.

Thanks.
And what is with the undeleted session on the idp? Or should I open a separate task for this?

You mean the token was not revoked ?

If that is what your are talking about, you should configure

• logoutFromOpenidProvider = true
• endSessionEndpoint if you don't use configuration endpoint

Yes, that is an another name for the same. (Under keycloak this will be called session).
But where can I set this? I don't see an option for that:

It shows up when you click on "Manual configuration" ...
Damned. I'll have to fix that.

Click on manual, activate it and switch back to "Automatic configuration", it will be kept.

Switching back will not work, because the settings will be removed:

Now the login works under the UI, but on the IDP not all sessions are removed.
On login, two are created, but only one will be removed:

The regular one will be removed, but the offline will be still present.

Ah yes. That's because you requested the refresh token which is not handled at this point.

The reason it is requested is because the wellknown configuration requests all available scopes, including offline_access which in your case triggers the generation of the refresh token. I didn't know it resulted in a open session but it makes sense.

You can fix that by overriding the scopes to specify only what you need: tick the "override Scopes" box in config and remove offline_access.

See: https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/sessions/offline.html

Hi @michael-doubez yes this will fix it.
I think it would be helpful to include this in the documentation. (Because I had users with over 30 offline sessions/token on the SSO server today)

Actions:

• redirect user to home page if login is redirecting to logout page
• fix config UI about scope overrides not shwoing up in the right config space
• document scope and lack of refresh token handling