Hi everyone!
I want to logout a user from an external IDP(identity brokering), after they have sucessfully logged in through my IDP, retrieved access token and redirected successfully to my client app page. For this reason, I need to call a logout endpoint to my IDP, providing some parameters (state, sessionId, clientId etc.).
What should I do in keycloak, in order to achieve that?
Hi. There is no built-in funcionality for this use case in Keycloak right new (version 18).
You can implemente a custom authenticator and make that part of your authentication flow.
If your IDP accepts backchannel logout, you could in theory make the logout in your application backend.
- User login
- Application retrieves IDP token on keycloak broker
- Application submit login to the backchannel URL of IDP
UPDATE:
Tutorial on how to write a custom authenticator: Keycloak Tutorial Series - Authenticator Part 1 - YouTube
Is there a way to get the userSessionModel (in order later to get the sessionId = state) inside the authenticator? I found the related code below but it always returns null = authResult
Thank you
UserSessionModel userSessionModel = null;
AuthenticationManager.AuthResult authResult = AuthenticationManager.authenticateIdentityCookie(context.getSession(),
context.getRealm(), true);
if (authResult != null) {
// That is it:
userSessionModel = authResult.getSession();
}