Still confused about back-channel logout #605

blevine · 2021-06-14T14:43:38Z

blevine
Jun 14, 2021

Evnironment:

Keycloak 12.0.4
mod_auth_openidc 2.4.4.1

I've written a simple app to test out single logout. The app contains a page with two links:

/protected/redirect_uri?logout=http%3A%2F%2Fwebapp%2Fpub%2Flogged_out.html

and

http://<keycloak_server>/auth/realms/test/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Fwebapp%2Fpub%2Flogged_out.html (the Keycloak end_session_endpoint)

I've configured the Keycloak client with a back-channel logout URL.

When I click on the first link, the mod_auth_openidc_session cookie is deleted and I'm redirected to the logged_out.html page as expected. When I click on the second link, the mod_auth_openidc_session is not deleted and I'm redirected to the logged_out.html page.

The second scenario is to test back-channel logout. However, I'm not clear on how this is supposed to work. If I initiate a logout using Keycloak's end_session_endpoint, is it expected that mod_auth_openidc will be called back via the back-channel mechanism so it can delete its local session? Or am I supposed to handle the back-channel-logout URI myself and call mod_auth_openidc's logout URI?

Or is the trick that I'm supposed to set the Keycloak client's back-channel logout URI to the mod_auth_openidc logout URI?

Thanks!

blevine · 2021-06-14T21:04:32Z

blevine
Jun 14, 2021
Author

Ok. So I may be less confused now after reading through the mod_auth_openidc source. The real question was how to set the back-channel logout URL in the Keycloak client config. It looks like I needed to set it to something like: https://myapp.com/protected/redirect_uri?logout=backchannel. The key being the addition of the ?logout=backchannel. I added a second webapp to my prototype. Now, when I hit .../redirect_uri?logout=https://myapp.com/my/logout/landingpage.html, mod_auth_openidc kills its session and hits Keycloak's end_session_endpoint. Keycloak kills the SSO session and then calls .../protected/redirect_uri?logout=backchannel in the 2nd webapp.

Have I gotten that right. I searched around a bit and I couldn't find a reference to adding ?logout=backchannel. What did I forget to read?

2 replies

zandbelt Jun 15, 2021
Maintainer

it seems documentation on that value is missing indeed, feel free to add it

blevine Jun 17, 2021
Author

Done!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Still confused about back-channel logout #605

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Still confused about back-channel logout #605

Uh oh!

Uh oh!

blevine Jun 14, 2021

Replies: 1 comment · 2 replies

Uh oh!

blevine Jun 14, 2021 Author

Uh oh!

zandbelt Jun 15, 2021 Maintainer

Uh oh!

blevine Jun 17, 2021 Author

blevine
Jun 14, 2021

Replies: 1 comment 2 replies

blevine
Jun 14, 2021
Author

zandbelt Jun 15, 2021
Maintainer

blevine Jun 17, 2021
Author