I think I can solve this by moving the admin console and its REST api
under /realms/{realm}.
URL would be:
/realms/{realm}/console/index.html
/realms/{realm}/console/{.js, .html, .img}
/realms/{realm}/console/realms/{realm}/... admin REST api
To protect against CSRF (not sure its applicable to JSON services
anyways), we can do double authentication with the realm's Identity
cookie and an access-token for REST calls.
When a user does a single-sign-off, this will expire the realm's global
identity cookie, and thus, the admin console would then also
automatically be logged out.
BTW, this single-sign-off problem exists for all javascript apps secured
by keycloak.js or that don't have a server-side session we can callback.
We might be able to use:
http://openid.net/specs/openid-connect-session-1_0.html
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com