Hi
Is it possible to perform a logout action to a single\specific client id?
the scenario is as follows:
The user is performing a login form app1 (client id APP1)
the same user is performing a login form app2 (client id APP2)
from app1 we are sending a logout request to: _apiAdminBaseUrl}/users/{userId}/logout
we can see in the Admin console that all user sessions (i.e. 2 in this case) are removed.
Is it possible to only remove the session of a single client (in this case APP1)?
This is an old question, but I would like to answer it, maybe it will help someone.
In Keycloak, a logout action initiated from one client typically affects all sessions associated with that user across all clients within the same realm. This is by design and is often considered a security feature to ensure that a user is fully logged out of all applications within the realm.
However, if you specifically need to implement a scenario where logging out from one client only affects that client’s session while leaving other sessions intact, you might need to implement a custom solution.
One potential approach is to use client-specific tokens or session management. You could implement a custom logout endpoint in each client application (APP1 and APP2) that communicates with Keycloak to invalidate the session only for that specific client. This would require some custom logic to manage client-specific sessions and tokens.
Alternatively, you could explore using separate realms for each client application if they need independent session management.
Keep in mind that deviating from the default behavior may have security implications, so thorough testing and consideration of your specific use case are essential. Additionally, always ensure that any custom solutions comply with relevant security best practices.