on Realm A, I have an OIDC Client which is another Keycloak instance. It has front-channel logout turned on, with the OIDC logout url from Realm B.
on Realm B, I have a Keycloak-OIDC identity provider which points Realm A.
on Realm B, I set the identity provider pointing to Realm A as the default in the Identity Provider Redirector authenticator
I log into the account console in both Realm A and Realm B.
When I log out from Realm B, I’m logged out from both Realm B and A.
When I log out from Realm A
I see a flash of a page “You are logging out …” as it redirects to https://somehost.com/auth/realms/realmb/protocol/openid-connect/logout?sid=9f5db4c3-4f8f-477c-afaa-12350f8f6ee3&iss=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Frealma which returns a 200. There must also be something happening on that page in js, as it then goes back to the Realm A account console without a 300.
I’m still logged in to Realm B.
How do I set it up so that when I log out in either realm, I’m logged out from both? I feel like I’ve done this before successfully, but I can’t do it now. Any ideas?
RPs supporting HTTP-based logout register a logout URI with the OP as part of their client registration. The domain, port, and scheme of this URL MUST be the same as that of a registered Redirection URI value.
I’ve added the Realm B OIDC logout url to the Realm A client redirect URIs, but no effect.
Is it a flawed assumption that I can use the Realm B OIDC logout url as the Realm A client front channel logout url? Is this instead supposed to be an application url that calls the end session endpoint?
Just a minor consideration about front-channel logout. The upcoming deprecation of third-party cookies will impact identity federation in several ways:
OpenID Connect Front-Channel Logout
OpenID Connect Session Management
iframe-based background token renewal
iframe-based login widget
I don’t know if anything has changed recently, but when the deprecation was announced, those were the future issues to bear in mind