Backchannel logout with multiple application instances


I have a question regarding backchannel logout when using multiple application instances.

Say you have an application with two instances (A and B) behind a reverse proxy. You create a client for the application in Keycloak, and set the admin URL to point to the reverse proxy. Then, consider:

  1. The user gets a session to instance A
  2. The user logs out from another application
  3. Keycloak performs backchannel logout against the loadbalancer, but reaches instance B
  4. Instance B does nothing since it does not have a session with the user. The session in instance A is still there.

How do you achieve single logout with backchannel when you have multiple application instances?

I was wondering the same. The only “fix” I came up with (haven’t tested it) is:

  1. Set “Admin URL” to specific address of instance A (not to loadbalancer address)
  2. Duplicate that client in keycloak, and for that new client set “Admin URL” to instance B

Now Keycloak should call logout in both instances (not sure if it can cause some issues related to nonexistent sessions in some instances).