Replies: 1 comment 2 replies
-
Ok. So I may be less confused now after reading through the mod_auth_openidc source. The real question was how to set the back-channel logout URL in the Keycloak client config. It looks like I needed to set it to something like: https://myapp.com/protected/redirect_uri?logout=backchannel. The key being the addition of the Have I gotten that right. I searched around a bit and I couldn't find a reference to adding |
Beta Was this translation helpful? Give feedback.
-
Evnironment:
I've written a simple app to test out single logout. The app contains a page with two links:
/protected/redirect_uri?logout=http%3A%2F%2Fwebapp%2Fpub%2Flogged_out.html
and
http://<keycloak_server>/auth/realms/test/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Fwebapp%2Fpub%2Flogged_out.html (the Keycloak end_session_endpoint)
I've configured the Keycloak client with a back-channel logout URL.
When I click on the first link, the mod_auth_openidc_session cookie is deleted and I'm redirected to the logged_out.html page as expected. When I click on the second link, the mod_auth_openidc_session is not deleted and I'm redirected to the logged_out.html page.
The second scenario is to test back-channel logout. However, I'm not clear on how this is supposed to work. If I initiate a logout using Keycloak's end_session_endpoint, is it expected that mod_auth_openidc will be called back via the back-channel mechanism so it can delete its local session? Or am I supposed to handle the back-channel-logout URI myself and call mod_auth_openidc's logout URI?
Or is the trick that I'm supposed to set the Keycloak client's back-channel logout URI to the mod_auth_openidc logout URI?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions