[keycloak-user] Confused about backchannel logout with a Java adapter

Schenk, Manfred Manfred.Schenk at iosb.fraunhofer.de
Fri May 4 05:52:03 EDT 2018


My understanding is:

>From the view point of the Web-Application it would be sufficient to call HttpServletRequest.logout(). But since this Web-Application is running within a SSO environment it would be nice to also inform the SSO provider about the logout. The provider will distribute this logout events to all registered clients, then.


So you have to do several things in your web-application:
1) provide some UI-interface for logout (e.g. a Logout Button)
2) this UI-Interface should call HttpServletRequest.logout() (to end the session in the current web-application) and also signal the logout tot he SSO provider.
3) The web-application should handle incoming logout requests from the SSO-provider (user has logged out within another application) by calling HttpServletRequest.logout() to end the current session

The confusion might be that two different aspects of logout are mixed here: the logout of the local session and the logout signalling of the SSO-session.


I hope I explained it correctly.

Regards,
Manfred


-- 
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk at iosb.fraunhofer.de
http://www.iosb.fraunhofer.de

-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Eric B
Gesendet: Mittwoch, 2. Mai 2018 22:42
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Confused about backchannel logout with a Java adapter

I was trying to understand the flow of a backchannel logout from my web application.

I find the documentation confusing.  The documentation for logging out ( https://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/logout.html
) says:


You can log out of a web application in multiple ways. For Java EE servlet containers, you can call HttpServletRequest.logout(). For other browser applications, you can redirect the browser to http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri,
which logs you out if you have an SSO session with your browser.

The documentation for the Admin URL configuration (
https://www.keycloak.org/docs/3.4/securing_apps/#admin-url-configuration)
says:

For example the way backchannel logout works is:
1. User sends logout request from one application 2. The application sends logout request to Keycloak 3. The Keycloak server invalidates the user session 4. The Keycloak server then sends a backchannel request to application with an admin url that are associated with the session 5. When an application receives the logout request it invalidates the corresponding HTTP session



So from my understanding, either:

   1. calling HttpServletRequest.logout() is supposed to magically send a
   request to Keycloak (obviously not possible).
   2. a GET to
   http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
   should magically detect the clientId and send a request to the appropriate
   backchannel (doesn't happen either).


I've tried sending the GET to the logout endpoint with an access_token, but that doesn't make any difference either.

What am I misunderstanding from this documentation?  How am I supposed to code the logout?

Thanks,

Eric
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list