In my case when “Service A” requests access token with
grant_type=client_credentials
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
(AND according to comments from https://issues.redhat.com/browse/KEYCLOAK-2931
with client_session_state=… and client_session_host=…) keycloak doesn’t do ‘k_logout’ backchannel request, printing ‘Cant logout {0}: no logged adapter sessions’ to debug output.
I think the problem exists because keycloak doesn’t support such usage for client_credentials grant, only for authorization_code (some research of keycloak server source code). Is there any way to use backchannel logout for this use case?
Resource server represented by spring boot application with appropriate keycloak adapter
Keycloak doesn’t support a backchannel logout as mentioned in the specs. The only thing is the “k_logout” via the admin URL, which you already discovered, but this doesn’t work for client auth.
Backchannel logout is on the roadmap - …somewhere.
Thanks for answer. I think you mentioned this feature request https://issues.redhat.com/browse/KEYCLOAK-2940 , unfortunately it is really “somewhere” and “sometime”. Subscribed and voted just in case