Back Channel Logout

[mikebrickwall]

I am currently using Keycloak 12.02, which apparently supports OIDC back channel logout. The attached image is a client using OIDC.

I am using mod-auth-openidc 2.3.3 on Ubuntu 18.04

Is it possible to get back channel logouts to work? I can get the regular logout to work with the browser using the redirect url along with the logout get parameter where the redirect url is a passed to Keycloak (OP). It would be great if the back channel worked, so we could log out users directly from the OP or via other sessions that have initiated a logout for the same user.

[mkwm]

Keycloak OIDC backchannel logout has slight spec non-compliance: keycloak/keycloak#7357 (ID tokens are missing sid claim).

If your Keycloak has feature.scripts and feature.upload_scripts features enabled, you can try work this around (for the time being...) using simple script mapper. In my env, I've added new client scope called openid to "Client Scopes" in realm admin console, which contains simple mapper of "Script Mapper" type, named sid:

userSession.getId()

IIRC, you won't see "Script Mapper" type at all if you don't have both features enabled (https://stackoverflow.com/questions/53390134/keycloak-script-authenticator-missing).

Also, mod_auth_openidc 2.3.3 is a bit too old; backchannel logout support requires at least 2.3.9 - https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.9.