Handling Incomplete Logout Flows Between Keycloak and Azure AD

Question

We have configured Keycloak as the authentication provider with Azure Active Directory (AAD) as the Identity Provider (IdP). Our user-facing web applications are connected to Keycloak as clients. When a user initiates a logout, it follows a client-initiated, browser-based logout process:

The client application sends a logout request to Keycloak.

Keycloak forwards a logout request to AAD via the following endpoint:

GET https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F

(Reference: Microsoft Documentation - Send a Sign-Out Request)

After processing the logout, AAD redirects the user back to Keycloak via the /logout_response endpoint to terminate the user session in Keycloak.

Issue:

The redirection from Keycloak to AAD often takes more than 5 seconds, displaying the message: "Hang on a moment while we sign you out." If a user closes the browser tab before AAD completes the logout process, the request to the /logout_response endpoint is never sent. As a result:

The session remains active in Keycloak.

If the user attempts to log out again, AAD appears to have terminated the session, which will display the following

but the Keycloak session remains active, causing inconsistent logout behavior.

Expected Behavior:

If the AAD logout process is interrupted (e.g., by the user closing the browser tab), a rollback mechanism should prevent a partial logout, allowing users to attempt the logout again.

If the AAD logout process fails or is incomplete, it should still trigger a request to the /logout_response endpoint to terminate the Keycloak session.

Question:

Are there any recommended configurations or approaches to ensure:

The Keycloak session is terminated even if the AAD logout process is interrupted or fails.

A rollback mechanism or retry logic is in place for incomplete logout attempts.

Answer 1

@Goutam Pratti
Thank you for your response

During the normal AAD logout process, users typically see a sign-out UI,

And after a few seconds when it completes, AAD sends a /logout_response request to Keycloak to complete the logout.

However, if the process is interrupted—such as when a user closes the browser tab before AAD completes the logout—AAD still terminates the session on its end but does not send a logout request to Keycloak. This results in an inconsistent state where the Keycloak session remains active.
And if user attempts to logout again, they will see the following UI suggests that they have been logout from AAD, but the session from Keycloak is still active.

Given this behavior, I would expect AAD to implement a rollback mechanism in case of an interrupted logout, preserving the session instead of partially completing the process and disrupting authentication workflows in systems like Keycloak.

Are there any upcoming updates or workarounds that address this issue? Is there a recommended way to detect and handle incomplete logouts at the IdP level?

Answer 2

Hello @Xie, Changning (DFO/MPO) ,

Thank you for your Response.

I understand you you want to know are there any upcoming updates or workarounds to address your issue and any recommended way to detect and handle incomplete logouts at the IDP level.

Currently, there are no updates from our side. However, you can provide feedback on your issue in the FeedBack-Forum so that our PG team can review the product requirements. This will help us in enhancing the features.

If you have any additional questions feel free to ask.

You can Accept the answer if it is helpful so that it can be beneficial for the community members.