Backchannel logout URL not working

1

My client’s “Backchannel logout URL” is not getting called whenever an user logs out.

  • Confidential flow
  • Backchannel Admin URL: http://test.bla.io/auth/k_logout (I am expecting a request at this exact address).
  • Backchannel logout session: required
  • Admin URL: none

When I force a logout (delete user session) in the Keycloak admin interface, I expect all clients within the realm to receive a request at their respective “Backchannel logout URL”. I never receive such HTTP request.

To re-iterate, I am expecting Keycloak to let client(s) know that an user session has been removed whenever:

  1. the user logged out via end_session_endpoint
  2. the user logged out via their keycloak interface
  3. the keycloak admin forcefully removed the session

In any of these cases, my client needs to know “what happened” (i.e: receive an event that the user logged out) because my client(s) have their own session management which will need to get invalidated.

Why is my URL not being called?

  • Keycloak 19.0.1
  • Edge mode (nginx TLS terminated)
2

Here is one of my clients, in JSON format:

{
  "access": {
    "configure": true,
    "manage": true,
    "view": true
  },
  "adminUrl": "",
  "alwaysDisplayInConsole": false,
  "attributes": {
    "backchannel.logout.revoke.offline.tokens": "false",
    "backchannel.logout.session.required": "true",
    "backchannel.logout.url": "http://test.bla.io/auth/k_logout",
    "client.secret.creation.time": "1661704345",
    "display.on.consent.screen": "false",
    "oauth2.device.authorization.grant.enabled": "false",
    "oidc.ciba.grant.enabled": "false",
    "post.logout.redirect.uris": "http://test.bla.io/*"
  },
  "authenticationFlowBindingOverrides": {},
  "baseUrl": "http://test.bla.io",
  "bearerOnly": false,
  "clientAuthenticatorType": "client-secret",
  "clientId": "removeme2903",
  "consentRequired": false,
  "defaultClientScopes": [
    "web-origins",
    "acr",
    "roles",
    "profile",
    "email"
  ],
  "description": "removeme",
  "directAccessGrantsEnabled": true,
  "enabled": true,
  "frontchannelLogout": true,
  "fullScopeAllowed": true,
  "id": "87d44e5c-3806-4dc5-9cc4-3e99b89dd132",
  "implicitFlowEnabled": false,
  "name": "removeme2903",
  "nodeReRegistrationTimeout": -1,
  "notBefore": 0,
  "optionalClientScopes": [
    "address",
    "phone",
    "offline_access",
    "microprofile-jwt"
  ],
  "protocol": "openid-connect",
  "publicClient": false,
  "redirectUris": [
    "http://test.bla.io/*",
    "http://test.bla.io/auth/after_logout"
  ],
  "rootUrl": "http://test.bla.io",
  "secret": "bla",
  "serviceAccountsEnabled": false,
  "standardFlowEnabled": true,
  "surrogateAuthRequired": false,
  "webOrigins": []
}
4

I have the same exact issue, same configuration and no logout request to the URL when logging out the session from the user session list. Did you manage to solve this?

5

No, instead I am now manually doing it via Python:

  1. Connect to the Keycloak admin API
  2. Loop all available clients (web-applications)
  3. Get all the user sessions associated with those clients
  4. If we notice an user session is removed, Python can send a logout HTTP token to the backchannel.logout.url as specified by the client.

This can all be done via the API (albeit for signing the logout token you need the private key, which you can fetch from the database).

Yes, it sucks. But at least it works, seems like this feature is just broken in Keycloak as far as I can tell.

6

Thanks! Finally I got it working: it looks like if the Front-Channel logout is enabled on the client (which is the default setting) even if you enable also Back-Channel logout it fails silently:

It wasn’t obvious for me since you can enable both at the same time, and I did not find any documentation so I had to dig deep into the sources. Now I disabled the Front-Channel logout and I started getting Back-Channel requests!