Re: [keycloak-user] Logout to the external IDP

Hi, I configured a OIDC identity provider by selecting the |OpenID Connect v1.0| identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. During the configuration process, I also configure "Logout Url" for the IDP logout url. When I try to logout to the external IDP, the browser is redirected to the external IDP to perform the logout. I can see some URL as follows: https://*keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>*/auth/realms/*Internal*/protocol/openi...: "keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>" is where the externalIDP is located. "Internal" is the name of the realm. The parameters "state" and "id_token_hint" are appended to the endpoint logout URL automatically during the logout process. However, this process failed because I got "Session Not Active" error in the UI. After some investigations, I found this "Session Not Active" error seems to be related to the value of Realm Setting —> Tokens —> Access Token Lifespan I configured. The default value is 5 minutes, if I trigger the logout within 5 minutes, I can logout to the external IDP successfully. If I do the logout after 5 minutes, I will get this ""Session Not Active" error. Is this the expected behavior? Do I have to bump up the value of "Access Token Lifespan" to get a longer session for the logout purpose? Thanks a lot for the help! Xiao _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user