Logout Timing

[GRRedWings]

Is it possible that there is some sort of small window where during a logout a call could get through where the library thinks it is still authenticated?

I ask this because in looking at our logout implementation.

I'm using Keycloak, and in my SPA I make a call to ?logout=

When this happens, sometimes it fails in a white screen. If I look at the network traffic I see

the logout call to my server, with a status code of 302.
A logout call to the Keycloak server with the id_token_hint, and a post_logout_redirect_uri that matches the logout value in the logout call from the SPA, 302 status code
I then see a call to the post_logout_redirect_uri
My SPA is lit, so then I see a call to main.js, which returns a 200
Next I see a call to another file, which returns a 401.

If I start in a clean browser, as soon as I make a call to the Root URL, the first thing that happens is that it redirects to Keycloak for auth. So it seems at a quick glance the logout flow is off and should not allow the main.js to succeed, but instead should have redirected me.

The only difference that I see is that when I go to the root URL, it is a 302 and redirects to Keycloak, but when I logout and go there, it leaves Keycloak to the Apache as a 200 to the root url.

[zandbelt]

it depends on the type of logout used (front-channel, back-channel), the session type in use (server-cache, client-cookie), and the version of the module

[GRRedWings]

I am using front-channel logout, I have version 2.4.15.7, and I am using the default of server-cache according to the auth_openidc.conf file.

I would expect that as soon as Keycloak redirects back to my Root URL, it should try to launch my SPA, and initiate the auth process. Is this a fair assumption or is there something I need to do different?