I'm using 1.7.0 final integrated with Spring Security (which itself is integrated into Grails) using OpenID Connect method. I've been kind of stuck with single (back-channel, k_logout) logout for a while.

It seems it's handled by the preAuthActions filter which simply invalidates local sessions via a call to an injected HttpSessionManager. This manager stores active sessions in its instance and puts/removes them as a reaction on HttpSessionEvent.

It looks like the HttpSessionManager has to be registered as JEE Listener in order to receive HttpSessionEvents. However, then you end up with two different instances - the listener and the bean in preAuthActions. Thus invalidation process can't reach the sessions stored in listener's instance and can't invalidate them at all.