1

Keycloak does support back channel logout, but is it compliant with the Openid Connect backchannel logout draft spec? https://openid.net/specs/openid-connect-backchannel-1_0.html

codependent
  • 23,193
  • 31
  • 166
  • 308

2 Answers2

2

OpenID Connect Back-Channel Logout was implemented in Keycloak 12.0, which shipped in December 2020.

Earlier versions only implemented an alternative, proprietary mechanism.

Martin Cejp
  • 607
  • 6
  • 13
1

This is Keycloak's Jira Issue regarding this topic. Go and vote for it!

After going over the spec and Keycloaks implementation I have to say that it is NOT compliant with the spec. As an example, this is the difference in the required logout token format that should be sent from the OP to the RP:

2.4. Logout Token

OPs send a JWT similar to an ID Token to RPs called a Logout Token to request that they log out. ID Tokens are defined in Section 2 of [OpenID.Core].

The following Claims are used within the Logout Token:

iss
    REQUIRED. Issuer Identifier, as specified in Section 2 of [OpenID.Core]. 
sub
    OPTIONAL. Subject Identifier, as specified in Section 2 of [OpenID.Core]. 
aud
    REQUIRED. Audience(s), as specified in Section 2 of [OpenID.Core]. 
iat
    REQUIRED. Issued at time, as specified in Section 2 of [OpenID.Core]. 
jti
    REQUIRED. Unique identifier for the token, as specified in Section 9 of [OpenID.Core]. 
events
    REQUIRED. Claim whose value is a JSON object containing the member name http://schemas.openid.net/event/backchannel-logout. This declares that the JWT is a Logout Token. The corresponding member value MUST be a JSON object and SHOULD be the empty JSON object {}. 
sid
    OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.

A Logout Token MUST contain either a sub or a sid Claim, and MAY contain both. If a sid Claim is not present, the intent is that all sessions at the RP for the End-User identified by the iss and sub Claims be logged out.

And this is what Keycloak sends in its current version (8.0.1):

{
  "id": "3536c4c4-fa51-4691-bc09-d229df83f774-1579360301277",
  "expiration": 1579360331,
  "resource": "resource-server-1",
  "action": "LOGOUT",
  "adapterSessionIds": [
    "6569208C4937FD9C6E138C9DD9CF7C6F"
  ],
  "notBefore": 0,
  "keycloakSessionIds": [
    "ca8060fd-48e9-4d26-b2d6-d6edb095f4b7"
  ]
}
codependent
  • 23,193
  • 31
  • 166
  • 308