[keycloak-user] Confused about backchannel logout with a Java adapter
Eric B
ebenzacar at gmail.com
Wed May 2 16:41:44 EDT 2018
I was trying to understand the flow of a backchannel logout from my web
application.
I find the documentation confusing. The documentation for logging out (
https://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/logout.html
) says:
You can log out of a web application in multiple ways. For Java EE servlet
containers, you can call HttpServletRequest.logout(). For other browser
applications, you can redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri,
which logs you out if you have an SSO session with your browser.
The documentation for the Admin URL configuration (
https://www.keycloak.org/docs/3.4/securing_apps/#admin-url-configuration)
says:
For example the way backchannel logout works is:
1. User sends logout request from one application
2. The application sends logout request to Keycloak
3. The Keycloak server invalidates the user session
4. The Keycloak server then sends a backchannel request to application with
an admin url that are associated with the session
5. When an application receives the logout request it invalidates the
corresponding HTTP session
So from my understanding, either:
1. calling HttpServletRequest.logout() is supposed to magically send a
request to Keycloak (obviously not possible).
2. a GET to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
should magically detect the clientId and send a request to the appropriate
backchannel (doesn't happen either).
I've tried sending the GET to the logout endpoint with an access_token, but
that doesn't make any difference either.
What am I misunderstanding from this documentation? How am I supposed to
code the logout?
Thanks,
Eric
More information about the keycloak-user
mailing list