Best practice to detect logout from identity provider?

I have the following setup of my application client:

AppClient <= OIDC => KeyCloak <= SAML2 => MSAzure

In other words, I authenticate the client with Keycloak, Keycloak redirect the authentication to MSAzure identity provider over SAML2.

Things work fine, the app can login to Keycloak and app can logout (the logout automatically initiates logout from MSAzure)

The question is what do i do when the user logs out of MSAzure - in this case MSAzure does SingleLogout from Keycloak over SAML2 (this works fine) and Keycloak logs the user out. The problem is that my application does not know about this logout.

What is the best practice to get the application to learn about the logout or session termination on Keycloak?

I tried JavaScript adapter, but it does not because the session cookie invalidates on local logout only.

Should the application client periodically poll OIDC auth endpoint passing prompt=none?

Should the application server periodically poll userinfo endpoint?

What is the best practice here?

I’ve been using the check-session endpoint in keycloak vía oidc session management. Spec is still in draft, but it’s been working pretty well so far.

https://openid.net/specs/openid-connect-session-1_0.html#RPiframe

The idea is that instead of polling via a request you open an iframe from the RP to the OP and send messages via the postmessage interface. Then when the session state changes in keycloak you can either force a logout on Your client or silently try to reauth them.

Your oidc client will need to support this and you’ll have to add an invisible iframe to your pages, but the base idea is pretty easy to implement. The part i haven’t got down yet is the silent reauth - so I’m just logging the user out for now.

Anyway - maybe worth a look through! Hope it helps!

I looked how Keycloak JavaScript Adapter uses RP IFrame. It basically relies on the fact that another page in the application does a logout from Keycloak and this changes the value of document.cookie and that’s how PR frame detects the change. That exactly what it means that PR frame detects session state change on local logouts only.

In case if the session state changes remotely on Keycloak server by means of SingleLogout from Identity provider, then PR IFRAME approach does not work.

I implemented a similar approach where instead of polling document.cookie, an PR IFRAME checks OIDC session status on Keycloak server by calling ODIC authorize endpoint and passing prompt=none. The approach works fine but I’d like to avoid polling completely, if possible.

Any advice would be appreciated.

Ah, ok. I think this is similar to an issue I ran into as well - sorry if I misunderstood earlier.

This does work if the keycloak session expires naturally or the user hits the end session endpoint somewhere, but I found it did not work If I force logout the user from inside keycloak. Perhaps the same mechanism is working in your case of the remote logout.

I created a post about this sometime back on keycloak and they confirmed as such but didn’t offer any other alternative. I’m pretty new to keycloak so all out of ideas now :frowning: