Back channel logout: use mapper for logout token

ah1508 · October 21, 2024, 12:09pm

Hi,

I am trying to use back channel logout to inform instances of my REST API when a user is signed out from the admin console (account lock for instance) so they can refuse the JWT issued for this user before the sign out.

But I declared a user property mapper in order to have the username in sub claim, so the logout token received by my APIs should also contains username for the sub claim. By default it is the keycloak userid. When I create the mapper there is no “Add to logout token” option.

Any idea ? Did I miss something ?

Thanks !

dasniko · October 21, 2024, 5:02pm

For logout tokens, there is no mapping supported.

In general, it’s not a good idea to map the username as the sub claim. The subject should be non-changing identifier of the user across its whole lifetime. The username might change. Better use the Keycloak ID as subject, so you also won’t get any problems with the logout token.

Topic		Replies	Views
Keycloak OIDC Backchannel Logout (client_session_state missing in Logout Token) Getting advice authentication , oidc	0	1676	January 24, 2023
Backchannel logout via admin panel Securing applications	6	2358	January 20, 2021
Backchannel logout-token missing "exp" claim!?	1	266	December 21, 2023
Backchannel Logout event shouldn't be sent to the client that triggers the logout action Securing applications	0	609	February 10, 2021
Will Keycloak send a logout request to the SP when a user is either deleted or signed out on Keycloak? admin-console , user-federation , oidc , saml	7	207	July 2, 2024

Back channel logout: use mapper for logout token

Related topics