I’m trying to implement “instant” logout in all applications, if a user logs out in one application. For some reason the Admin URL is not called after a logout.
then the Admin URL does not get any traffic for any of the clients that have an Admin URL.
But if I go to the Keycloak GUI under the realm > Sessions > Revocation and click on Push I see a POST to /k_push_not_before for every registered Admin URL, so I think the Admin URL is configured correctly.
I am facing the exact same issue @pmorch mentionned (using KC 8.0.1). Logout does not trigger any call to the Admin URL configured, but Revocation does. Any help would be appreciated.
Also, how is it supposed to work? What is a minimal test case?
Currently, the way I test is is:
I log in to multiple applications in the same browser session (utilizing SSO) using a separate client_id for each
Logout from one of them
Expect the AdminURL to be called for the other clients
Actually observe that the AdminURL does not get called for any clients → FAIL
First, can anybody question whether this is a valid test case?
Would it be sufficient to test it by logging in with a single client_id? Is the AdminURL code supposed to be smart enough not to call the AdminURL for the client that initiated the logout? I’m guessing Keycloak can’t really be that smart, since redirect_uri could be the same for multiple clients.
Again, being able to re-create a scenario where it works, even if it is on an older version, would help tremendously.
In my opinion, the AdminURL should be called no matter what client triggered the logout. If the purpose is to have a Single Sign Out experience, all clients should behave the same and KC should be consistent in that matter. I’ll see if I can find the expected behavior by looking at the KC code.
So yes, $adminURL/k_logoutis POST-ed to when logout is initiated from the management console, but is not POST-ed to when a browser logs out by redirecting to:
Hi @pmorch, after more investigation, I opened: https://issues.redhat.com/browse/KEYCLOAK-15234 because I think there is an issue with KC. The ticket is more detailed with my investigation, feel free to add to it with more details if you want.
Hi Peter, how are you? I wonder if you can help me out.
When a user is logged out or a session has been logged out using KC console (Manager → Users → userabc → Sessions → logout || logout all sessions) a request to a given API should be requested this task was asked to me.
I already added in my client adminUrl the local API ip:
I did the same as you said above: hit revocation push button, i also test the Sessions → logout all button.
What I need?
In a nutshell, when i decide to logout a user using KC console, i need to my api blacklist(saving the data) all the tokens related to this user’s sessions.
Is this posible to achive right now with KC console?
I’m not sure what you mean. Is 192.168… the address of your app? How does this even work with that weird “Valid Redirect URIs”? What did you test and what was the outcome of these tests. Please be more specific…
yes, http://192.168.1.6:3666 is my API url, im not trying to logout though any client application, when I logout using KC console from the users sessions view I need KC send a logout request to my API (that’s why im using that IP - my local api).
Something like
POST /k_userlogout
and then in the request body you could have the session data (userid, sessionid, dates, etc).
@pmorch No worries do you remember what you used for the Admin URL? That is not quite clear is it a keycloak URL or a logout URL for my app? Thanks for responding
@pmorch don’t worry about it I ended up using the Front-Channel Logout URL to accomplish what I needed. Thanks for responding though, have a great weekend.
This is heartbreaking. We can’t ensure the user is instantly logged out from all clients if this doesn’t work…
