[keycloak-user] keycloak logout.js on brokering idp mode

Marek Posolda mposolda at redhat.com
Fri Nov 25 04:09:28 EST 2016 

When you call keycloak.js logout, you will be redirected to the Keycloak 
server LogoutEndpoint. This endpoint will:
- remove the UserSession on Keycloak side
- expire the Keycloak browser cookies
- Send separate backchannel request to all the logged applications, 
which uses servlet adapter (NOT javascript applications) and which has 
"admin URL" configured. This backchannel logout will remove the 
HttpSession for every servlet application on it's side
- Other javascript apps logged in same browser relies on Session IFrame 
. More info in our docs. In shortcut, this IFrame checks every 5 seconds 
if browser cookie KEYCLOAK_SESSION still exists on the Keycloak server 
and it will automatically logout if not. In other words, if you have 2 
javascript applications in same browser at different tabs and you call 
logout from the application1, then the application2 will be 
automatically logged-out too within 5 seconds at max.
- In shortcut: All servlet and javascript apps in same browser will be 
automatically logged-out

Hope this helps,
Marek

On 24/11/16 16:06, java_os wrote:
> Anyone here be able to say what really happens behind the scenes when
> using keycloak.js LOGOUT?
> Need to know how it relates to the following 2 configs:
>   - Single Logout Service URL
>   - Backchannel Logout
>
> My thought is that if the above 2 settings are left empty, keycloak will
> kill its current browser session and redirect to the IDP login page? Y/N?
>
> If SLSU is set will call into the IDP logout url, kill browser session and
> display IDP login page.
> What is Backchannel Logout ON/OFF doing.
> Keycloak devs, anyone can explain in details around logout through
> keycloak.js?
>
> Problem I see, when brokering Shibboleth, it fires request on shib and it
> returns AuthFailed response- no idea why.
> Same flow, when IDP is ADFS runs just fine.
> I know shib I am forced to use is an outdated one: 2.3.3
>
> Thanks
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list