[keycloak-user] keycloak does not send backchannel logout requests to Admin URL

Wed Nov 13 15:03:01 EST 2019

Hi, I use a similar link to log-out.
Maybe in order to investigate the reason of the issue, you may increase
logging level of keycloak by editing standalone.xml (try setting TRACE
level for org.keycloak package in logging subsystem).

On Tue, Nov 12, 2019 at 2:02 PM mn at fstrk.io <mn at fstrk.io> wrote:

> I see, thanks!
>
> But I created a catch-all REST endpoint that would show any requests
> coming from keycloak. And it shows none.
>
> Maybe you are executing logout in a different way than me? I just redirect
> the user to a logout URL:
> http://xxxxx:com/auth/realms/fasttrack/protocol/openid-connect/logout
> <http://ec2-52-90-230-56.compute-1.amazonaws.com:9090/auth/realms/fasttrack/protocol/openid-connect/logout>
>
>
>
> 12.11.19 10:16, Leonid Rozenblyum пишет:
>
> The adapter creates REST endpoints to listen to the logout event.
> Suppose there are 2 apps under SSO. You execute log-out from one of them.
> Another one is receiving backchannel call from Keycloak about the log-out
> event to immediately terminate session.
> Otherwise the 2'nd app will know about session invalidation only after
> next request to keycloak (e.g. for refreshing a token).
>
> I've been using Keycloak Spring Security Adapter 7.0.1 with Keycloak 7.0.1
> however it still contained a bug for Single Logout that's why I had to
> promote a fix for https://issues.jboss.org/browse/KEYCLOAK-10266.
>
> Until keycloak 8 is released I had to apply a workaround of custom
> HttpSessionManager registration.
>
>
> On Tue, Nov 12, 2019 at 6:09 AM mn at fstrk.io <mn at fstrk.io> wrote:
>
>> Anyway, if you've made this work, please specify the versions of the
>> libraries you used; I will find a Java friend to put them together, and
>> then I'll look at HTTP requests issued and implement them in Python :)
>>
>> 11.11.19 23:06, Leonid Rozenblyum пишет:
>>
>> Well since Spring Security adapter is used inside Java client software to
>> secure communication with Keycloak, and you're developing your software in
>> Python - it seems to be another problem...
>>
>> According to the docs:
>>
>>
>> *Admin URL*
>> For *Keycloak specific* client adapters, this is the callback endpoint
>> for the client. The Keycloak server will use this URI to make callbacks
>> like pushing revocation policies, performing backchannel logout, and other
>> administrative operations. For Keycloak servlet adapters, this can be the
>> root URL of the servlet application. For more information see Securing
>> Applications and Services Guide.
>>
>> It looks like Python OIDC library is not keycloak-specific, so Admin URL
>> is NOT an option to set up backchannel logout.
>>
>> On Mon, Nov 11, 2019 at 9:41 PM mn at fstrk.io <mn at fstrk.io> wrote:
>>
>>> I would love to try it, but I am a Python guy and I am not sure how to
>>> figure out Keycloak internals :) is there anyway you can point me to look
>>> for the instructions on how to do it?
>>>
>>>
>>>
>>> 11.11.19 22:27, Leonid Rozenblyum пишет:
>>>
>>> Ok, I see.
>>> But do you use Spring Security adapter in your application?
>>> If yes, a workaround for  KEYCLOAK-10266
>>> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible even
>>> before 8.0.0 release.
>>>
>>> On Mon, Nov 11, 2019 at 6:48 PM mn at fstrk.io <mn at fstrk.io> wrote:
>>>
>>>> I am using the Docker version, and 8.0.0 has not been released in
>>>> Docker yet: https://hub.docker.com/r/jboss/keycloak/tags
>>>>
>>>> so I guess the only option for me is wait for the 8.0.0 Docker release
>>>> then.
>>>>
>>>>
>>>> 11.11.19 17:56, Leonid Rozenblyum пишет:
>>>>
>>>> Hi. What adapter are you using?
>>>> Spring Security adapter had a bug which was recently fixed and the fix
>>>> should be part of 8.0.0  https://issues.jboss.org/browse/KEYCLOAK-10266
>>>>
>>>> On Mon, Nov 11, 2019 at 6:14 AM mn at fstrk.io <mn at fstrk.io> wrote:
>>>>
>>>>> I created a client in Keycloak and set up a test admin URL
>>>>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60 (this is a
>>>>> webhook testing site).
>>>>>
>>>>> After that, I performed an OpenID login via this client, and then sent
>>>>> a
>>>>> logout request to Keycloak.
>>>>>
>>>>>
>>>>> I did this a couple of times, and tried two ways of logging a user out:
>>>>>
>>>>> - redirecting to
>>>>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>>>> <
>>>>> http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout
>>>>> >
>>>>>
>>>>> - force logging out of the user via Keycloak admin interface:
>>>>> http://prntscr.com/pv1v76
>>>>>
>>>>> The user indeed gets logged out. However, in both of these cases I
>>>>> don't
>>>>> see any requests coming out from Keycloak. The testing website shows
>>>>> zero registered requests.
>>>>>
>>>>>
>>>>> How do I make this work?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Mikhail Novikov
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>> --
>>>> Михаил Новиков
>>>> Ведущий разработчикfstrk.io
>>>>
>>>>
>>> --
>>> Михаил Новиков
>>> Ведущий разработчикfstrk.io
>>>
>>>
>> --
>> Михаил Новиков
>> Ведущий разработчикfstrk.io
>>
>>
> --
> Михаил Новиков
> Ведущий разработчикfstrk.io
>
>