Hi Guys,
I am using keycloak for several application single sign on solution. Keycloak works well
in SSO, but I have troubles in single logout.
According to document
[
https://www.keycloak.org/docs/latest/securing_apps/index.html#logout] and other answers
in mailing list. from my understanding, single logout will need following steps:
app a in
http://172.17.0.1:5000 -> client_a
app b in
http://172.17.0.5:3000 -> client_b
keycloak in
http://172.17.0.2:8080
1. add admin_url for each client (just like following settings)
* Client Protocol: openid-connect
* Access Type: confidential
* Root URL:
http://172.17.0.1:5000/
* Valid Redirect URls:
http://172.17.0.1:5000/*
* Base URL:
http://172.17.0.1:5000/
* Admin URL:
http://172.17.0.1:5000/
2. Logout by redirect brower to
http://172.17.0.2:8080/auth/realms/myrealm/protocol/openid-connect/logout...
3. All client sessions for user in current browser will be destroyed and keycloak will
send logout signal (k_logout) to each client (admin_url), each client recieve the logout
signal to remove user login info
In my experiment, by watch keycloak Manage/Sessions page, when the browser redirect to
keycloak logout url, all session for current user have been destroyed, but app a and b do
not recieved k_logout request. But if I direct click "logout all" button in
Manage/Sessions page, all sessions have been destroyed and both app a and b recieved
k_logout request. By redirect to logout url, the sessions have been destroyed, but not
send logout signal each application still login status. What am I misunderstanding? Is
there any detail example for single logout? I expect that user click logout in app a and
all application in same realm logout together.
Another trouble is the client I used is openid-client which not implemented k_logout, how
should I handle k_logout request, is there any document for handle k_logout?
Thanks
Qing Zhang