Backchannel-logout with multiple apps per client-id (docker swarm)


I’m using Keylcoak 9.0 and have a couple of clients registered. Each of the clients is a docker-swarm-service with 2 replicas (instances).

In front of the applications there is a haproxy with dynamic sticky sesssion cookie. A serverid cookie leads the user agent to the same backend app.

When using backchannel-logout the url for the ‘k_logout’ REST-Call to the apps is configured in the ‘Admin URL’ of the client in the Keycloak Admin Web UI.

The problem is, that here i don’t have the sticky-session cookie information and the docker-service-name in the adminURL leads to one of the two instances (via docker internal load balancer). Therefore the backchannel-logout may be called to an instance of the app where the keycloak security context isn’t available in the http session and consequently the user is not logged out for this app.

So the front-channel logout would be via haproxy sticky-session load balancing and the back-channel logout is via internal docker-load balancer.

Do you have any idea how to ensure that all of the isntances of the client get the backchannel-logout requests?

Best Regards,