[keycloak-user] Logout not send k_logout requests

张庆 zqzq71 at shu.edu.cn
Thu Sep 5 21:29:34 EDT 2019 

Hi Peter:

    Thank you very much for the reply. I am using flask_oidc (OpenIDConnect) in flask and OAuth2 Provider (openid-connect) in Gitea as the adapter for keycloak.

    After login in keycloak, flask and gitea have been logged in, then I redirect browser to "http://xxxx/auth/realms/myrealms/protocol/openid-connect/logout?redirect_uri=xxxx", refresh the browser, gitea still logged in and flask throw an exception (look like the session in keycloak destroyed but flask still have the old token?)   


Thanks,
Qing Zhang


> -----Original Messages-----
> From: "Peter Skopek" <pskopek at redhat.com>
> Sent Time: 2019-09-05 18:16:26 (Thursday)
> To: "张庆" <zqzq71 at shu.edu.cn>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Logout not send k_logout requests
> 
> Hi Qing Zhang,
> what keycloak adpter is your client using?
> It will help if you can share your client (even partially).
> 
> Regards,
> Peter
> 
> On Tue, Sep 3, 2019 at 9:54 AM 张庆 <zqzq71 at shu.edu.cn> wrote:
> >
> > Hi Guys,
> >
> >
> > I am using keycloak for several application single sign on solution. Keycloak works well in SSO, but I have troubles in single logout.
> > According to document [https://www.keycloak.org/docs/latest/securing_apps/index.html#logout] and other answers in mailing list. from my understanding, single logout will need following steps:
> >
> >
> >  app a in http://172.17.0.1:5000 -> client_a
> >  app b in http://172.17.0.5:3000 -> client_b
> >  keycloak in http://172.17.0.2:8080
> >
> >
> >  1. add admin_url for each client (just like following settings)
> >    * Client Protocol: openid-connect
> >    * Access Type: confidential
> >    * Root URL: http://172.17.0.1:5000/
> >    * Valid Redirect URls: http://172.17.0.1:5000/*
> >    * Base URL: http://172.17.0.1:5000/
> >    * Admin URL: http://172.17.0.1:5000/
> >
> >
> >  2. Logout by redirect brower to http://172.17.0.2:8080/auth/realms/myrealm/protocol/openid-connect/logout?redirect_uri=http://172.17.0.1:5000/
> >
> >
> >  3. All client sessions for user in current browser will be destroyed and keycloak will send logout signal (k_logout) to each client (admin_url), each client recieve the logout signal to remove user login info
> >
> >
> > In my experiment, by watch keycloak Manage/Sessions page, when the browser redirect to keycloak logout url, all session for current user have been destroyed, but app a and b do not recieved k_logout request. But if I direct click  "logout all" button in Manage/Sessions page, all sessions have been destroyed and both app a and b recieved k_logout request. By redirect to logout url, the sessions have been destroyed, but not send logout signal each application still login status. What am I misunderstanding? Is there any detail example for single logout? I expect that user click logout in app a and all application in same realm logout together.
> >
> >
> > Another trouble is the client I used is openid-client which not implemented k_logout, how should I handle k_logout request, is there any document for handle k_logout?
> >
> >
> >
> >
> > Thanks
> > Qing Zhang
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list