Backchannel logout via admin panel

Hello.

In my case when “Service A” requests access token with
grant_type=client_credentials
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
(AND according to comments from https://issues.redhat.com/browse/KEYCLOAK-2931
with client_session_state=… and client_session_host=…) keycloak doesn’t do ‘k_logout’ backchannel request, printing ‘Cant logout {0}: no logged adapter sessions’ to debug output.

I think the problem exists because keycloak doesn’t support such usage for client_credentials grant, only for authorization_code (some research of keycloak server source code). Is there any way to use backchannel logout for this use case?

Resource server represented by spring boot application with appropriate keycloak adapter

Thanks.

Keycloak doesn’t support a backchannel logout as mentioned in the specs. The only thing is the “k_logout” via the admin URL, which you already discovered, but this doesn’t work for client auth.

Backchannel logout is on the roadmap - …somewhere.

Thanks for answer. I think you mentioned this feature request https://issues.redhat.com/browse/KEYCLOAK-2940 , unfortunately it is really “somewhere” and “sometime”. Subscribed and voted just in case

So at the current time, KC backchannel logout is not available right?

According to https://issues.redhat.com/browse/KEYCLOAK-2940, OIDC backchannel logout should come with KC 12.x (but no guarantees).

Thanks a lot for your response.

Hope they get this working in the next version, we need it a lot.!

12.0.2 already supports back-channel logout url config in kc console