Hi Peter:
Thank you very much for the reply. I am using flask_oidc (OpenIDConnect) in flask and
OAuth2 Provider (openid-connect) in Gitea as the adapter for keycloak.
After login in keycloak, flask and gitea have been logged in, then I redirect browser
to
"http://xxxx/auth/realms/myrealms/protocol/openid-connect/logout?redirect_uri=xxxx",
refresh the browser, gitea still logged in and flask throw an exception (look like the
session in keycloak destroyed but flask still have the old token?)
Thanks,
Qing Zhang
-----Original Messages-----
From: "Peter Skopek" <pskopek(a)redhat.com>
Sent Time: 2019-09-05 18:16:26 (Thursday)
To: "张庆" <zqzq71(a)shu.edu.cn>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Logout not send k_logout requests
Hi Qing Zhang,
what keycloak adpter is your client using?
It will help if you can share your client (even partially).
Regards,
Peter
On Tue, Sep 3, 2019 at 9:54 AM 张庆 <zqzq71(a)shu.edu.cn> wrote:
>
> Hi Guys,
>
>
> I am using keycloak for several application single sign on solution. Keycloak works
well in SSO, but I have troubles in single logout.
> According to document
[
https://www.keycloak.org/docs/latest/securing_apps/index.html#logout] and other answers
in mailing list. from my understanding, single logout will need following steps:
>
>
> app a in
http://172.17.0.1:5000 -> client_a
> app b in
http://172.17.0.5:3000 -> client_b
> keycloak in
http://172.17.0.2:8080
>
>
> 1. add admin_url for each client (just like following settings)
> * Client Protocol: openid-connect
> * Access Type: confidential
> * Root URL:
http://172.17.0.1:5000/
> * Valid Redirect URls:
http://172.17.0.1:5000/*
> * Base URL:
http://172.17.0.1:5000/
> * Admin URL:
http://172.17.0.1:5000/
>
>
> 2. Logout by redirect brower to
http://172.17.0.2:8080/auth/realms/myrealm/protocol/openid-connect/logout...
>
>
> 3. All client sessions for user in current browser will be destroyed and keycloak
will send logout signal (k_logout) to each client (admin_url), each client recieve the
logout signal to remove user login info
>
>
> In my experiment, by watch keycloak Manage/Sessions page, when the browser redirect
to keycloak logout url, all session for current user have been destroyed, but app a and b
do not recieved k_logout request. But if I direct click "logout all" button in
Manage/Sessions page, all sessions have been destroyed and both app a and b recieved
k_logout request. By redirect to logout url, the sessions have been destroyed, but not
send logout signal each application still login status. What am I misunderstanding? Is
there any detail example for single logout? I expect that user click logout in app a and
all application in same realm logout together.
>
>
> Another trouble is the client I used is openid-client which not implemented
k_logout, how should I handle k_logout request, is there any document for handle
k_logout?
>
>
>
>
> Thanks
> Qing Zhang
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user