I am trying to implement a single logout using the backchannel logout introduced in Keycloak 12 and Spring Security. This topic seems to be really new and not trivial, because I can’t find any examples on the internet. Therefore I hope for your expertise. The following initial situation:
I have a Keycloak server instance with a realm and a client (Protocol: openid-connect | Access type: Public). Both Keycloak and my Spring applications run behind a reverse proxy. I have already successfully implemented a single login. Now I would like to implement a single logout using Spring Security. That means, if a user presses logout in App1, a logout in all other apps should happen automatically via the backchannel (the number of apps is not limited).
Can you please give me some guidance on how to achieve this configuration. What should be entered as “Backchannel Logout URL” in the Keycloak client? The backchannel logout URL is different for each app. Theoretically, each app would have to specify a backchannel logout url when logging in. If I understand it correctly, then the setting “Backchannel Logout Session Required” is used for this, correct?
Spring Security doesn't support the OpenID Connect Back-channel Logout flow yet. Support will be added in a future version. You can follow the progress in this GitHub issue.