When querying the login-status-iframe, if a user session is forcibly ended within keycloak by clicking logout all or logout for a specific user session, the status returned by the login-status-iframe remains as “unchanged”. Is this expected, or is there something I’m misunderstanding about this should work?
It does properly change to “changed” if I visit the keycloak end session endpoint or if I set a short keycloak session expiration and allow it to expire.
I would expect that destroying a session within keycloak would also change the session_state
?
Turns out this is expected behavior:
https://issues.redhat.com/browse/KEYCLOAK-13671
Stian Thorgersen added a comment - 3 days ago
This is expected behaviour. The session iframe relies on checking the session cookie, which is only invalidated on a local logout.
I’m also experiencing this issue.
Does this something to do with OIDC Session Management Logout being in draft in Keycloak? I can read that in Server Administration Guide
I’m using a 3rd party library but session checks always return an “session_unchanged” event.
What’s the best approach to use, in our web-apps, to detect a logout performed at Keycloak console?
Thanks, Stian