Backchannel logout with multiple application instances

Tobb · June 16, 2020, 7:28am

Hi

I have a question regarding backchannel logout when using multiple application instances.

Say you have an application with two instances (A and B) behind a reverse proxy. You create a client for the application in Keycloak, and set the admin URL to point to the reverse proxy. Then, consider:

The user gets a session to instance A
The user logs out from another application
Keycloak performs backchannel logout against the loadbalancer, but reaches instance B
Instance B does nothing since it does not have a session with the user. The session in instance A is still there.

How do you achieve single logout with backchannel when you have multiple application instances?

Wukash · July 2, 2020, 11:15am

I was wondering the same. The only “fix” I came up with (haven’t tested it) is:

Set “Admin URL” to specific address of instance A (not to loadbalancer address)
Duplicate that client in keycloak, and for that new client set “Admin URL” to instance B

Now Keycloak should call logout in both instances (not sure if it can cause some issues related to nonexistent sessions in some instances).

Topic		Replies	Views
Keycloak realm as client and client back channel logout Configuring the server	1	390	October 28, 2021
How to use backchannel log out for Single log out Getting advice	1	408	February 9, 2021
Back channel logout doesn't work Securing applications authentication , oidc	1	1222	June 12, 2023
Backchannel Logout URL not called Getting advice	2	1045	August 24, 2022
Backchannel Logout event shouldn't be sent to the client that triggers the logout action Securing applications	0	497	February 10, 2021

Backchannel logout with multiple application instances

Related Topics