Single Sign-Out (I.e. Logout of all sessions)?

We have several mobile applications (Android) and multiple websites that all use the same Keycloak v11 server instance we setup for SSO. The login part seems to be working well so far. Now we want to give our users the ability to logout globally from all apps and websites, allowing them to switch users.

However, when we log them out via the GET /realms/{realm-name}/protocol/openid-connect/logout endpoint, it only seems to end the current session. How can we make it so that it logs them out of ALL sessions across all devices & apps? Is this possible?

The documentation is vague in this regard. Should this log the user out of all session or not? What if the call is being made from an isolated WebView or an Incognito Chrome session (I.e. no cookies)? The docs seem to indicate this will only work “if you have an SSO session with your browser”. How would we accomplish this in this scenario?

I’ve found numerous posts suggesting various workarounds but some are very old and I’m not sure if they’re relevant anymore. So far nothing we’ve tried has worked aside from the “Logout all session” button in the KC admin interface. However, this call seems to require an admin token, so I’m not sure how a client app could use that.

I also stumbled upon this “backchannel” logout, but I’m not sure I understand what this is for or how it works. It sounds like Keycloak will try to notify clients of a log out event via an “Admin URL” callback, but how would this work for mobile apps or sessions on other devices?

The docs I’m using: logout, logout-endpoint, logout-endpoint-2

Is this something that is better implemented in v12 / should we upgrade?

Thanks!!

1 Like

Hey do you find any lead on this ?