As we know backchannel logout is to implement SLO. And keycloak 12.x already supports it.
But I found, the logout event is abused.
1.I have a client A that registers a backchannel logout URL
2.Client A trigger a logout action with user refresh token and client_id
3.Client also receives a logout token
This is wired to me. IMHO, the backchannel logout URL is more like a passive handler to it possible to know a user has logged out from another application in the SSO system.
And “you” should log out too. I am not sure if I am right about this? could someone help me out?