[keycloak-user] Confused about backchannel logout with a Java adapter

I was trying to understand the flow of a backchannel logout from my web application. I find the documentation confusing. The documentation for logging out ( https://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/logout.html ) says: You can log out of a web application in multiple ways. For Java EE servlet containers, you can call HttpServletRequest.logout(). For other browser applications, you can redirect the browser to http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou..., which logs you out if you have an SSO session with your browser. The documentation for the Admin URL configuration ( https://www.keycloak.org/docs/3.4/securing_apps/#admin-url-configuration) says: For example the way backchannel logout works is: 1. User sends logout request from one application 2. The application sends logout request to Keycloak 3. The Keycloak server invalidates the user session 4. The Keycloak server then sends a backchannel request to application with an admin url that are associated with the session 5. When an application receives the logout request it invalidates the corresponding HTTP session So from my understanding, either: 1. calling HttpServletRequest.logout() is supposed to magically send a request to Keycloak (obviously not possible). 2. a GET to http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou... should magically detect the clientId and send a request to the appropriate backchannel (doesn't happen either). I've tried sending the GET to the logout endpoint with an access_token, but that doesn't make any difference either. What am I misunderstanding from this documentation? How am I supposed to code the logout? Thanks, Eric