[keycloak-user] keycloak logout.js on brokering idp mode
mposolda at redhat.com
Fri Nov 25 04:09:28 EST 2016
When you call keycloak.js logout, you will be redirected to the Keycloak
server LogoutEndpoint. This endpoint will:
- remove the UserSession on Keycloak side
- expire the Keycloak browser cookies
- Send separate backchannel request to all the logged applications,
"admin URL" configured. This backchannel logout will remove the
HttpSession for every servlet application on it's side
. More info in our docs. In shortcut, this IFrame checks every 5 seconds
if browser cookie KEYCLOAK_SESSION still exists on the Keycloak server
and it will automatically logout if not. In other words, if you have 2
logout from the application1, then the application2 will be
automatically logged-out too within 5 seconds at max.
Hope this helps,
On 24/11/16 16:06, java_os wrote:
> Anyone here be able to say what really happens behind the scenes when
> using keycloak.js LOGOUT?
> Need to know how it relates to the following 2 configs:
> - Single Logout Service URL
> - Backchannel Logout
> My thought is that if the above 2 settings are left empty, keycloak will
> kill its current browser session and redirect to the IDP login page? Y/N?
> If SLSU is set will call into the IDP logout url, kill browser session and
> display IDP login page.
> What is Backchannel Logout ON/OFF doing.
> Keycloak devs, anyone can explain in details around logout through
> Problem I see, when brokering Shibboleth, it fires request on shib and it
> returns AuthFailed response- no idea why.
> Same flow, when IDP is ADFS runs just fine.
> I know shib I am forced to use is an outdated one: 2.3.3
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
More information about the keycloak-user