Thanks to Dmitry Telegin, here is the solution.
Need to POST to end_session_endpoint, in my case https://
encoded refresh token>
with Authorizaton header equal to "Basic base64(client_id:client_secret)"
The only problem is value of client_id and client_secret in Authorization
header should be url-encoded according to section 2.3.1 of oauth spec (
). But KC does not perform
url-decode, if client_id/secret is taken from header.
I want to make a fix for it (add url-decode). Will it be accepted?
пн, 21 янв. 2019 г. в 11:10, Мартынов Илья <imartynovsp(a)gmail.com>:
My RP should support dropping user's session by admin. I need to drop KC
session together with RP's session. But I can't use frontchannel here as
admin is dropping session for another user. So RP-initiated backchannel
logout is required. I see no docs about this functionality in KC. We use
OpenID Connect between RP and KC, so I've searched protocol specs.
From section "3. RP-Initiated Logout Functionality" of
section "5. RP-Initiated Logout" of
one can conclude
that sending backchannel request to end_session_endpoint with ID token
should drop the session on KC side.
Could you please comment, is my understanding correct?