OIDC Backchannel Logout (Single Logout) with Spring Security

Hi everyone,
I am trying to implement a single logout using the backchannel logout introduced in Keycloak 12 and Spring Security. This topic seems to be really new and not trivial, because I can’t find any examples on the internet. Therefore I hope for your expertise.
The following initial situation:
keycloak_logout (1)
I have a Keycloak server instance with a realm and a client (Protocol: openid-connect | Access type: Public). Both Keycloak and my Spring applications run behind a reverse proxy.
I have already successfully implemented a single login. Now I would like to implement a single logout using Spring Security. That means, if a user presses logout in App1, a logout in all other apps should happen automatically via the backchannel (the number of apps is not limited).

Can you please give me some guidance on how to achieve this configuration. What should be entered as “Backchannel Logout URL” in the Keycloak client? The backchannel logout URL is different for each app. Theoretically, each app would have to specify a backchannel logout url when logging in. If I understand it correctly, then the setting “Backchannel Logout Session Required” is used for this, correct?

I hope you can help me a little.

2 Likes

Hello,

I am also working on the same feature. At the moment I am using a simple keycloak environment on version 12 in combination with spring boot 2.4.5.

What I have already managed to do:

  1. client A login successful
  2. client B login successful
  3. manual global OICD session invalidation via keycloak admin console (ver.12) → both clients log out. Ok

Where I just get a headache is with the following case:

  1. client A login
  2. client B login
  3. client A logout
    – oicd session invalidation takes place
  4. backchannel message is sent to client B
  5. adapter consumes the message, but unfortunately does not invalidate its locale session, so that the access token transmitted in the message remains valid and the user can continue to do his ‘dirty work’.
    ssl certificates are accepted by both clients and on the keycloak side, so message exchange between all sides is guaranteed.

I think the whole thing might be due to my spring securtiy configuration, which is why the above example would be very interesting as a quick starter from my side.

Thank you very much for a possible example.

This topic seems to be really new and not trivial,

I was trying to understand the backchannel logout yesterday and I made it work with the old/custom way. I was confused due to the two ways of doing it. Let me share how I understood it, please correct me if I’m wrong.

Old way: Keycloak has Admin Url configuration in client settings. If you are using a Keycloak adapter for integration (Spring Boot/Security) using this configuration will be enough for backchannel logout. You need to define different clients for your applications. Then if you fill the Admin Url for each of these clients, Keycloak will send backchannel logout request to all these clients when a logout occurs. The logout request is a POST request to an endpoint admin-url/k_logout. The client adapter you use automatically adds this endpoint to your application and handles this revocation. It works both for logout from apps, and logout from Admin panel.

New way: In Keycloak version 12.0.0, a new OpenID specification compliant backchannel logout is introduced (Issue, PR). The one before was a custom and Keycloak specific solution. You can also implement this new endpoint based on OpenId spec. The new configuration parameters in the client settings such as Backchannel Logout URL and Backchannel Logout Session Required are for this implementation. If you are using the old way, you must leave this settings empty. If I understand correctly, the client adapters does not support this new implementation.