[keycloak-user] back channel logout in case of keycloak adapter sitting behind reverse proxy.
Madhu
kkcmadhu at yahoo.com
Fri Nov 30 00:06:27 EST 2018
Hi,
I am exploring on how to implement back channel logouts/ sso logout properly and have a question in this regard.
I have a set of applications (say App1, App2, App3) which are integreated with keycloak through servelet adapter (keycloak-servlet-adapters and keycloak-spring-boot2-adapters).. Each of this application for HA/scalablity resons sit behind their own reverse proxies..
So typically there will be multiple instance of each application App1-Node1, App1-Node2.. App1-Node'n' , like wise App2-Node1,App2-Node2,App2-Node'n'.. and so on for each of the Apps.
When a user u1,logs on to App1 and App2 an SSO session is establised in keycloak, and in the user sessions i see that user has connected to clients App1 and App2 ( app1 and app2 are clients in keycloak realm)..
When user logged on App1-Node1 took the request, and for App2, App2-Node2 took the request..
On the keycloak side, the admin urls are configured with the Reverse proxy url of the each Apps ( same as the valid rediect and base url).
When a SSO logout happens, how can i ensure that the keycloak server sends the SSO logout signal (k_logout) to the correct node? Will keycloak preserve the headers which came at the time of orignial login request and use them while sending admin requests as well ? ( so that the reverse proxy could dispatch the request to correct node, assuming that the application is configured to be sticky)..
Regards,Madhu
More information about the keycloak-user
mailing list