[keycloak-user] Logout not send k_logout requests

Peter Skopek pskopek at redhat.com
Thu Sep 5 06:16:26 EDT 2019 

Hi Qing Zhang,
what keycloak adpter is your client using?
It will help if you can share your client (even partially).

Regards,
Peter

On Tue, Sep 3, 2019 at 9:54 AM 张庆 <zqzq71 at shu.edu.cn> wrote:
>
> Hi Guys,
>
>
> I am using keycloak for several application single sign on solution. Keycloak works well in SSO, but I have troubles in single logout.
> According to document [https://www.keycloak.org/docs/latest/securing_apps/index.html#logout] and other answers in mailing list. from my understanding, single logout will need following steps:
>
>
>  app a in http://172.17.0.1:5000 -> client_a
>  app b in http://172.17.0.5:3000 -> client_b
>  keycloak in http://172.17.0.2:8080
>
>
>  1. add admin_url for each client (just like following settings)
>    * Client Protocol: openid-connect
>    * Access Type: confidential
>    * Root URL: http://172.17.0.1:5000/
>    * Valid Redirect URls: http://172.17.0.1:5000/*
>    * Base URL: http://172.17.0.1:5000/
>    * Admin URL: http://172.17.0.1:5000/
>
>
>  2. Logout by redirect brower to http://172.17.0.2:8080/auth/realms/myrealm/protocol/openid-connect/logout?redirect_uri=http://172.17.0.1:5000/
>
>
>  3. All client sessions for user in current browser will be destroyed and keycloak will send logout signal (k_logout) to each client (admin_url), each client recieve the logout signal to remove user login info
>
>
> In my experiment, by watch keycloak Manage/Sessions page, when the browser redirect to keycloak logout url, all session for current user have been destroyed, but app a and b do not recieved k_logout request. But if I direct click  "logout all" button in Manage/Sessions page, all sessions have been destroyed and both app a and b recieved k_logout request. By redirect to logout url, the sessions have been destroyed, but not send logout signal each application still login status. What am I misunderstanding? Is there any detail example for single logout? I expect that user click logout in app a and all application in same realm logout together.
>
>
> Another trouble is the client I used is openid-client which not implemented k_logout, how should I handle k_logout request, is there any document for handle k_logout?
>
>
>
>
> Thanks
> Qing Zhang
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list