TL;DR
I want to ensure that all browser sessions notice “immediately” when one Single-Sign-On participant logs out. I’m hoping to do by having the AdminURL being called when a user logs out
But I can’t seem to trigger the AdminURL getting called when a user logs out. My guess is that I’m using frontchannel logout, where I should be using backchannel logout. Is it correct that the Admin URL is triggered only by backchannel logouts?
If so, how does one perform a backchannel logout from a webserver that has implemented Authorization Code Flow and has access, id and refresh tokens?
Or is there a tiny hello world example that demonstrates how it works?
Details
I have a user that logs in to multiple applications using different clients using Authentication Code Flow. He logs out by redirecting to
http://192.168.225.5:8181/auth/realms/$realm/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F%2Foauth2%2FlogoutCB
Once he does that, the other clients notice the logout indirectly after the access tokens expire and an attempt to refresh it is done with the refresh token. So the logout works - the session is cleared in KC, but AdminURL is not called even when configured. (I’ve also tried posting to that URL providing a refresh_token
, client_id
and client_secret
- AdminURL also not called)
If instead I hit “Logout all” from the Sessions part of the KC admin console, the AdminURL is called, so it looks to me like the AdminURL is configured properly.
There sevaral mentions of this here and there. That last one was on the mailing list 4 days ago.
This post says:
The ordinary logout and the backchannel logout are two complete different things.
The ordinary logout works by redirecting the browser to the URL you mentioned in (2). The user is recognized by the browser session in Keycloak, hence a browser redirect is crucial (the redirect_uri is not even necessary to provide).
I think the deal is that there is front-channel and backchannel logout, and only backchannel logout triggers the Admin URL webhook. Is that correct? Is it also correct that /auth/realms/test/protocol/openid-connect/logout
is the frontchannel logout endpoint? If so, how do trigger a backchannel logout so the AdminURL is called?
I’m using Keycloak 11.0.0, and I’ve also tried Keycloak 7.0.0. I created a “test” realm and two clients and a user, where I make the clients confidential and configure their AdminURL to be http://192.168.225.5:9998 and http://192.168.225.5:9999 respectively. These AdminURLs are called when I hit “Logout all” from the Sessions part of the KC admin console, but not when a user logs out by either redirecting to or posting to /auth/realms/$realm/protocol/openid-connect/logout
Can anybody see what am I doing wrong? Or is there a bug in KC? I think I’ve spent about 20 hours on this and I’m going crazy…