[keycloak-user] Logout not send k_logout requests

[张庆]

Hi Guys,


I am using keycloak for several application single sign on solution. Keycloak works well in SSO, but I have troubles in single logout. 
According to document [https://www.keycloak.org/docs/latest/securing_apps/index.html#logout] and other answers in mailing list. from my understanding, single logout will need following steps:


 app a in http://172.17.0.1:5000 -> client_a 
 app b in http://172.17.0.5:3000 -> client_b 
 keycloak in http://172.17.0.2:8080


 1. add admin_url for each client (just like following settings)
   * Client Protocol: openid-connect
   * Access Type: confidential
   * Root URL: http://172.17.0.1:5000/
   * Valid Redirect URls: http://172.17.0.1:5000/*
   * Base URL: http://172.17.0.1:5000/
   * Admin URL: http://172.17.0.1:5000/


 2. Logout by redirect brower to http://172.17.0.2:8080/auth/realms/myrealm/protocol/openid-connect/logout?redirect_uri=http://172.17.0.1:5000/


 3. All client sessions for user in current browser will be destroyed and keycloak will send logout signal (k_logout) to each client (admin_url), each client recieve the logout signal to remove user login info


In my experiment, by watch keycloak Manage/Sessions page, when the browser redirect to keycloak logout url, all session for current user have been destroyed, but app a and b do not recieved k_logout request. But if I direct click  "logout all" button in Manage/Sessions page, all sessions have been destroyed and both app a and b recieved k_logout request. By redirect to logout url, the sessions have been destroyed, but not send logout signal each application still login status. What am I misunderstanding? Is there any detail example for single logout? I expect that user click logout in app a and all application in same realm logout together. 


Another trouble is the client I used is openid-client which not implemented k_logout, how should I handle k_logout request, is there any document for handle k_logout?




Thanks
Qing Zhang