On Dec 16, 2015, at 6:40 AM, Andy Yar <andyyar66(a)gmail.com&gt; wrote: Hello, I'm using 1.7.0 final integrated with Spring Security (which itself is integrated into Grails) using OpenID Connect method. I've been kind of stuck with single (back-channel, k_logout) logout for a while. It seems it's handled by the preAuthActions filter which simply invalidates local sessions via a call to an injected HttpSessionManager. This manager stores active sessions in its instance and puts/removes them as a reaction on HttpSessionEvent. It looks like the HttpSessionManager has to be registered as JEE Listener in order to receive HttpSessionEvents. However, then you end up with two different instances - the listener and the bean in preAuthActions. Thus invalidation process can't reach the sessions stored in listener's instance and can't invalidate them at all. A big sorry if I miss something very obvious. Andy _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user