[keycloak-user] RP-initiated backchannel logout

Мартынов Илья imartynovsp at gmail.com
Thu Feb 7 11:59:01 EST 2019

Thanks to Dmitry Telegin, here is the solution.
Need to POST to end_session_endpoint, in my case https://
encoded refresh token>
with Authorizaton header equal to "Basic base64(client_id:client_secret)"
The only problem is value of client_id and client_secret in Authorization
header should be url-encoded according to section 2.3.1 of oauth spec (
https://www.rfc-editor.org/rfc/rfc6749.txt). But KC does not perform
url-decode, if client_id/secret is taken from header.
I want to make a fix for it (add url-decode). Will it be accepted?

пн, 21 янв. 2019 г. в 11:10, Мартынов Илья <imartynovsp at gmail.com>:

> Hello,
> My RP should support dropping user's session by admin. I need to drop KC
> session together with RP's session. But I can't use frontchannel here as
> admin is dropping session for another user. So RP-initiated backchannel
> logout is required. I see no docs about this functionality in KC. We use
> OpenID Connect between RP and KC, so I've searched protocol specs.
>  From section "3.  RP-Initiated Logout Functionality" of
> https://openid.net/specs/openid-connect-backchannel-1_0.html and from
> section "5.  RP-Initiated Logout" of
> https://openid.net/specs/openid-connect-session-1_0.html one can conclude
> that sending backchannel request to end_session_endpoint with ID token
> should drop the session on KC side.
> Could you please comment, is my understanding correct?

More information about the keycloak-user mailing list