[keycloak-user] Log out server sessions when using bearer authentication

[Dan Østerberg]

Hi,

How can we make single sign out work when passing bearer tokens to a server guarded by a «traditional» session based Oauth2 client / adapter?

Lets say we use bearer authentication via the Javascript adapter, and make REST requests to a stateless (no session) server. Lets further say that during some later request, a server session will be created – either intentionally to store state, or unintentionally e.g. by some shared code (since sessions are auto-created in Java EE). Now single sign out won’t work, because Keycloak is neither aware of the server session nor the Oauth2 client that has an admin URL.

One solution could be to detect the creation of a session, and internally via an extended REST API tell the Keycloak server to create a session also for the client with admin URL (connecting it to the created session ID). But it just sounds as if this should be covered out-of-the-box, so maybe I’m just missing or misunderstanding something...

~Dan