[keycloak-user] keycloak does not send backchannel logout requests to Admin URL

Leonid Rozenblyum lrozenblyum at gmail.com
Tue Nov 12 02:16:58 EST 2019


The adapter creates REST endpoints to listen to the logout event.
Suppose there are 2 apps under SSO. You execute log-out from one of them.
Another one is receiving backchannel call from Keycloak about the log-out
event to immediately terminate session.
Otherwise the 2'nd app will know about session invalidation only after next
request to keycloak (e.g. for refreshing a token).

I've been using Keycloak Spring Security Adapter 7.0.1 with Keycloak 7.0.1
however it still contained a bug for Single Logout that's why I had to
promote a fix for https://issues.jboss.org/browse/KEYCLOAK-10266.

Until keycloak 8 is released I had to apply a workaround of custom
HttpSessionManager registration.


On Tue, Nov 12, 2019 at 6:09 AM mn at fstrk.io <mn at fstrk.io> wrote:

> Anyway, if you've made this work, please specify the versions of the
> libraries you used; I will find a Java friend to put them together, and
> then I'll look at HTTP requests issued and implement them in Python :)
>
> 11.11.19 23:06, Leonid Rozenblyum пишет:
>
> Well since Spring Security adapter is used inside Java client software to
> secure communication with Keycloak, and you're developing your software in
> Python - it seems to be another problem...
>
> According to the docs:
>
>
> *Admin URL*
> For *Keycloak specific* client adapters, this is the callback endpoint
> for the client. The Keycloak server will use this URI to make callbacks
> like pushing revocation policies, performing backchannel logout, and other
> administrative operations. For Keycloak servlet adapters, this can be the
> root URL of the servlet application. For more information see Securing
> Applications and Services Guide.
>
> It looks like Python OIDC library is not keycloak-specific, so Admin URL
> is NOT an option to set up backchannel logout.
>
> On Mon, Nov 11, 2019 at 9:41 PM mn at fstrk.io <mn at fstrk.io> wrote:
>
>> I would love to try it, but I am a Python guy and I am not sure how to
>> figure out Keycloak internals :) is there anyway you can point me to look
>> for the instructions on how to do it?
>>
>>
>>
>> 11.11.19 22:27, Leonid Rozenblyum пишет:
>>
>> Ok, I see.
>> But do you use Spring Security adapter in your application?
>> If yes, a workaround for  KEYCLOAK-10266
>> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible even before
>> 8.0.0 release.
>>
>> On Mon, Nov 11, 2019 at 6:48 PM mn at fstrk.io <mn at fstrk.io> wrote:
>>
>>> I am using the Docker version, and 8.0.0 has not been released in Docker
>>> yet: https://hub.docker.com/r/jboss/keycloak/tags
>>>
>>> so I guess the only option for me is wait for the 8.0.0 Docker release
>>> then.
>>>
>>>
>>> 11.11.19 17:56, Leonid Rozenblyum пишет:
>>>
>>> Hi. What adapter are you using?
>>> Spring Security adapter had a bug which was recently fixed and the fix
>>> should be part of 8.0.0  https://issues.jboss.org/browse/KEYCLOAK-10266
>>>
>>> On Mon, Nov 11, 2019 at 6:14 AM mn at fstrk.io <mn at fstrk.io> wrote:
>>>
>>>> I created a client in Keycloak and set up a test admin URL
>>>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60 (this is a
>>>> webhook testing site).
>>>>
>>>> After that, I performed an OpenID login via this client, and then sent
>>>> a
>>>> logout request to Keycloak.
>>>>
>>>>
>>>> I did this a couple of times, and tried two ways of logging a user out:
>>>>
>>>> - redirecting to
>>>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>>> <
>>>> http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout
>>>> >
>>>>
>>>> - force logging out of the user via Keycloak admin interface:
>>>> http://prntscr.com/pv1v76
>>>>
>>>> The user indeed gets logged out. However, in both of these cases I
>>>> don't
>>>> see any requests coming out from Keycloak. The testing website shows
>>>> zero registered requests.
>>>>
>>>>
>>>> How do I make this work?
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Mikhail Novikov
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> --
>>> Михаил Новиков
>>> Ведущий разработчикfstrk.io
>>>
>>>
>> --
>> Михаил Новиков
>> Ведущий разработчикfstrk.io
>>
>>
> --
> Михаил Новиков
> Ведущий разработчикfstrk.io
>
>


More information about the keycloak-user mailing list