starred/unifi-voucher-site
1
0
Fork 0
mirror of https://github.com/glenndehaan/unifi-voucher-site.git synced 2026-05-09 08:25:29 +02:00
Code Issues 1 Projects Packages Wiki Activity

[GH-ISSUE #100] Keycloak session timeout doesn’t trigger logout — app remains connected until token error #53

New issue
Closed
opened 2026-05-07 00:18:25 +02:00 by BreizhHardware · 1 comment
BreizhHardware commented 2026-05-07 00:18:25 +02:00
Owner
Copy link

Originally created by @morb3at on GitHub (Nov 10, 2025).
Original GitHub issue: https://github.com/glenndehaan/unifi-voucher-site/issues/100

Originally assigned to: @glenndehaan on GitHub.

The problem

When using the UniFi Voucher Docker app integrated with Keycloak for authentication, user sessions are not being invalidated on the application side after the Keycloak SSO session expires.

Currently, when the Keycloak session times out (e.g., after 30 minutes of inactivity), the app continues running as if still authenticated. Once a new request is made, it fails with the following error:

OPError: invalid_token (Token verification failed) at throwAuthenticateErrors (/app/node_modules/openid-client/lib/helpers/process_response.js:18:11) at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:7) at Client.userinfo (/app/node_modules/openid-client/lib/client.js:1135:18)

This causes the interface to appear disconnected without any visible logout or redirect for the user.

Expected Behavior

When the Keycloak session expires or the token becomes invalid, the app should automatically:

  • Terminate the local session.
  • Redirect the user to the main login page (or homepage).
  • Optionally, receive a logout notification from Keycloak (frontchannel or backchannel logout).

Actual Behavior

  • The app remains active after the Keycloak SSO session expires.
  • User sees a silent disconnect followed by an invalid_token error in logs.
  • No automatic logout or redirect happens.

Steps to Reproduce

  1. Log in via Keycloak.
  2. Leave the session idle until Keycloak session times out (e.g., 30 minutes).
  3. Try to perform any action in the app.
  4. Observe the invalid_token error and disconnection.

Environment

  • App: UniFi Voucher Docker
  • Auth Provider: Keycloak (OIDC)
  • Access Token Lifespan: 5 minutes
  • SSO Session Idle Timeout: 30 minutes
  • Keycloak Version: [latest]
  • App Version: [latest]

Suggested Fix

Implement proper Frontchannel or Backchannel Logout handling in the app so Keycloak can notify it when the user session expires.

Alternatively, add a mechanism to detect expired sessions and redirect users to the login page automatically.

What version of UniFi Voucher Site has the issue?

8.3.0

What was the last working version of UniFi Voucher Site?

No response

What type of installation are you running?

Docker

Anything in the logs that might be useful for us?

OPError: invalid_token (Token verification failed)
    at throwAuthenticateErrors (/app/node_modules/openid-client/lib/helpers/process_response.js:18:11)
    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:7)
    at Client.userinfo (/app/node_modules/openid-client/lib/client.js:1135:18)

Additional information

No response

Originally created by @morb3at on GitHub (Nov 10, 2025). Original GitHub issue: https://github.com/glenndehaan/unifi-voucher-site/issues/100 Originally assigned to: @glenndehaan on GitHub. ### The problem When using the UniFi Voucher Docker app integrated with Keycloak for authentication, user sessions are not being invalidated on the application side after the Keycloak SSO session expires. Currently, when the Keycloak session times out (e.g., after 30 minutes of inactivity), the app continues running as if still authenticated. Once a new request is made, it fails with the following error: `OPError: invalid_token (Token verification failed) at throwAuthenticateErrors (/app/node_modules/openid-client/lib/helpers/process_response.js:18:11) at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:7) at Client.userinfo (/app/node_modules/openid-client/lib/client.js:1135:18)` This causes the interface to appear disconnected without any visible logout or redirect for the user. Expected Behavior When the Keycloak session expires or the token becomes invalid, the app should automatically: - Terminate the local session. - Redirect the user to the main login page (or homepage). - Optionally, receive a logout notification from Keycloak (frontchannel or backchannel logout). Actual Behavior - The app remains active after the Keycloak SSO session expires. - User sees a silent disconnect followed by an invalid_token error in logs. - No automatic logout or redirect happens. Steps to Reproduce 1. Log in via Keycloak. 2. Leave the session idle until Keycloak session times out (e.g., 30 minutes). 3. Try to perform any action in the app. 4. Observe the invalid_token error and disconnection. Environment - App: UniFi Voucher Docker - Auth Provider: Keycloak (OIDC) - Access Token Lifespan: 5 minutes - SSO Session Idle Timeout: 30 minutes - Keycloak Version: [latest] - App Version: [latest] Suggested Fix Implement proper Frontchannel or Backchannel Logout handling in the app so Keycloak can notify it when the user session expires. Alternatively, add a mechanism to detect expired sessions and redirect users to the login page automatically. ### What version of UniFi Voucher Site has the issue? 8.3.0 ### What was the last working version of UniFi Voucher Site? _No response_ ### What type of installation are you running? Docker ### Anything in the logs that might be useful for us? ```Text OPError: invalid_token (Token verification failed) at throwAuthenticateErrors (/app/node_modules/openid-client/lib/helpers/process_response.js:18:11) at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:7) at Client.userinfo (/app/node_modules/openid-client/lib/client.js:1135:18) ``` ### Additional information _No response_
BreizhHardware 2026-05-07 00:18:25 +02:00
  • closed this issue
  • added the
    bug
         label
BreizhHardware commented 2026-05-07 00:18:26 +02:00
Author
Owner
Copy link

@glenndehaan commented on GitHub (Nov 11, 2025):

Hi @morb3at,

I have just released version 8.3.1.
This resolves the issue you are encountering where the system can't fetch user data if the token has expired.
Since this function was not caught before it would leave users stuck on an error page.
This has been fixed and tested against the following scenarios:

  • Token expires
  • SSO session expires
  • User logs out via idP
  • User is deactivated via idP

For now I don't see the need for front/back channel logout methods.
One last note for myself: front channel logout is not supported by the dependency

Kind regards,
Glenn de Haan

<!-- gh-comment-id:3518156652 --> @glenndehaan commented on GitHub (Nov 11, 2025): Hi @morb3at, I have just released version 8.3.1. This resolves the issue you are encountering where the system can't fetch user data if the token has expired. Since this function was not caught before it would leave users stuck on an error page. This has been fixed and tested against the following scenarios: - Token expires - SSO session expires - User logs out via idP - User is deactivated via idP For now I don't see the need for front/back channel logout methods. One last note for myself: front channel logout is not supported by the dependency Kind regards, Glenn de Haan
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
l10n_master
8.10.0
8.9.2
8.9.1
8.9.0
8.8.0
8.7.0
8.6.3
8.6.2
8.6.1
8.6.0
8.5.0
8.4.1
8.4.0
8.3.2
8.3.1
8.3.0
8.2.2
8.2.1
8.2.0
8.1.1
8.1.0
8.0.0
7.2.2
7.2.1
7.2.0
7.1.1
7.1.0
7.0.1
7.0.0
6.1.1
6.1.0
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.2.0
5.1.3
5.1.2
5.1.1
5.1.0
5.0.2
5.0.1
5.0.0
4.7.0
4.6.1
4.6.0
4.5.2
4.5.1
4.5.0
4.4.1
4.4.0
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.1
4.3.0
4.2.0
4.1.5
4.1.4
4.1.3
4.1.2
4.1.1
4.1.0
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.8.2
3.8.1
3.8.0
3.7.1
3.7.0
3.6.0
3.5.4
3.5.3
3.5.2
3.5.1
3.5.0
3.4.1
3.4.0
3.3.1
3.3.0
3.2.1
3.2.0
3.1.1
3.1.0
3.0.1
3.0.0
2.7.3
2.7.2
2.7.1
2.7.0
2.6.4
2.6.3
2.6.2
2.6.1
2.6.0
2.5.3
2.5.2
2.5.1
2.5.0
2.4.1
2.4.0
2.3.2
2.3.1
2.3.0
2.2.0
2.1.0
2.0.0
1.1.0
1.0.0
Labels
Clear labels   
bug

   
enhancement

   
pull-request
Mirrored from GitHub Pull Request

  
question

   
question

   
question

   
wontfix
No labels
bug
enhancement
pull-request
question
question
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/unifi-voucher-site#53
No description provided.