Keycloak OIDC Backchannel Logout (client_session_state missing in Logout Token)

See also http://keycloak.discourse.group/t/oidc-backchannel-logout-single-logout-with-spring-security/8761/2
Currently implemented solution (Admin URL backchannel logout [k_logout]).
We have several applications connected to our Keycloak. We implemented single logout functionality between those applications by using the k_logout mechanism of Keycloak:

  1. For each of our applications a client in Keycloak was created and, besides the other configuration (client-id, client-secret, …), an Admin-URL was set
  2. During login procedure (Authentication Code Flow is used) we enhanced the body of the token-request with the parameter “client_session_state”. The value we transmit for “client_session_state” is our application internal session ID (PHP Session /JSESSIONID). Therefore, Keycloak gets the application’s session ID during login request of a user. In case of SSO, Keycloak gets the information about all the application sessions of a user, as all those applications request tokens for the user.
  3. If the user logs out, our applications send a logout-request to Keycloak like this: /auth/realms/XXXXXX/protocol/openid-connect/logout?id_token_hint=……&&post_logout_redirect_uri=…
  4. Keycloak ends its own user session, redirects the application back to the post_logout_redirect_uri and sends backchannel logout requests to all the other clients, where the user also had a session. Those logout requests are POST-requests sent to the configured Admin-URLs that are enhanced with the substring “k_logout”, e.g. “https://some.domain.com/oidc/k_logout”. In the body of the logout POST-request Keycloak adds an “Admin”-Logout-Token, which contains, besides other claims, the information about the client (“resource”) and the corresponding application session id (“adapterSessionIDs”).
    Example of a Keycloak “Admin”-Logout-Token:

{
“id”: “asdsf-fgfhg-4e0a-asdas-kjljkhl-refg345345”,
“expiration”: 1671448285,
“resource”: “theClientId”,
“action”: “LOGOUT”,
“adapterSessionIds”: [
“894e3255643r2w3843425r2348423”
],
“notBefore”: 0,
“keycloakSessionIds”: [
“asdas-fgh-sesad-dfg-asdghdfh235223”
]
}
With the information from the “Admin”-Logout-Token (adapterSessionIds), our applications can decide, which application session needs to be terminated, if a user login occurs.

Using the OIDC Backchannel Logout
With Keycloak V12.0.0, a new OIDC compliant Backchannel logout mechanism was introduced. Unfortunately, the logout token sent by Keycloak in the OIDC Backchannel logout is missing the information about our applications’ internal sessions. Therefore, our applications can not determine, which of the application sessions has to be terminated in case of a user logout. We know that this may not be part of the OIDC specification, but as Keycloak already has the functionality to store additional values for a client in a user’s authentication session (as described in k_logout mechanism above: client_session_state → adapterSessionIds), it might be a good idea to enhance the OIDC Backchannel logout token with additional parameters, as e.g., adapterSessionIds. This would create the benefit, that the applications do not need to implement a mapping mechanism between the keycloak session and their own application sessions.
Conclusion: Is it possible to enhance the OIDC Backchannel logout token with additional claims, as e.g., “adapterSessionIds”?

1 Like