While testing the backchannel logout of our OIDC client implementation, I noticed the following behavior in Keycloak when multiple sessions exist.
Preconditions:
Log in the user in the same client using, e.g., two browsers. You will see two sessions for the registered OIDC client in Keycloak
On the user’s sessions tab, click on “Logout all sessions”.
This results in one single backchannel request being performed, where of course I can identify the user through SID (ID of one of the two open sessions) or SUB (internal ID of the keycloak user).
Now you can imagine that the client itself may have internal session information (session cookie, other pieces of information of the client) that you’d like to invalidate/terminate as a result of the backchannel request
However, it is impossible for the client to identify which of the sessions to actively terminate, as seemingly only one of the active sessions in Keycloak will be submitted as a backchannel logout request.
How can I identify as a client which sessions to terminate? Is this a bug in keycloak? (I would have expected one request per session to get both SID logout requests in the client), or some other means of transporting the intent to the client of logging out all sessions of the subject.
Best
Oliver