[keycloak-user] Logout not send k_logout requests
张庆
zqzq71 at shu.edu.cn
Tue Sep 3 03:45:42 EDT 2019
Hi Guys,
I am using keycloak for several application single sign on solution. Keycloak works well in SSO, but I have troubles in single logout.
According to document [https://www.keycloak.org/docs/latest/securing_apps/index.html#logout] and other answers in mailing list. from my understanding, single logout will need following steps:
app a in http://172.17.0.1:5000 -> client_a
app b in http://172.17.0.5:3000 -> client_b
keycloak in http://172.17.0.2:8080
1. add admin_url for each client (just like following settings)
* Client Protocol: openid-connect
* Access Type: confidential
* Root URL: http://172.17.0.1:5000/
* Valid Redirect URls: http://172.17.0.1:5000/*
* Base URL: http://172.17.0.1:5000/
* Admin URL: http://172.17.0.1:5000/
2. Logout by redirect brower to http://172.17.0.2:8080/auth/realms/myrealm/protocol/openid-connect/logout?redirect_uri=http://172.17.0.1:5000/
3. All client sessions for user in current browser will be destroyed and keycloak will send logout signal (k_logout) to each client (admin_url), each client recieve the logout signal to remove user login info
In my experiment, by watch keycloak Manage/Sessions page, when the browser redirect to keycloak logout url, all session for current user have been destroyed, but app a and b do not recieved k_logout request. But if I direct click "logout all" button in Manage/Sessions page, all sessions have been destroyed and both app a and b recieved k_logout request. By redirect to logout url, the sessions have been destroyed, but not send logout signal each application still login status. What am I misunderstanding? Is there any detail example for single logout? I expect that user click logout in app a and all application in same realm logout together.
Another trouble is the client I used is openid-client which not implemented k_logout, how should I handle k_logout request, is there any document for handle k_logout?
Thanks
Qing Zhang
More information about the keycloak-user
mailing list