Hello,
I would like to setup the following user workflow form my application that is an OIDC RP that works with a Keycloak OP.
- User clicks logout (after having logged in)
- RP receives user’s logout request and sends a logout request to OP’s end session URL
- If OP responds with 200 then RP redirects user to the application’s login page
- If OP responds with anything other than 200, RP redirects user to OP’s end session URL.
If Step 3 is true, then I expect that the session for the user at the realm to have been deleted.
This approach is based on the following line here:
The endpoint can also be invoked directly by the application. To invoke this endpoint directly, the refresh token needs to be included as well as the credentials required to authenticate the client.
(Edit: how can I include the refresh token?)
However I observe 2 things:
- The session continues to exist.
- I can successfully automatically revisit the application’s page
I include an id_token_hint and a post_logout_uri in the logout request to the OP.
I am sure I am missing something in my understanding of how things should work. I would appreciate any help and guidance.
Many thanks!