Keycloak Single Sign Out
How do you provide single sign out or log out with keycloak?
What this means is when you issue a log out from one application or client that is logged in with keycloak, all other open sessions will be terminated.
According to the mozzila-oidc-django package, support for ending a session is not part of the OpenID Connect specification.
However the flow would work something like this:
- Be a logged in user on the client
- Click logout on the client
- Client sends logout request to keycloak
- Keycloak terminates all open sessions
- You are now logged out on all clients
Sending the Logout Request on Keycloak
The keycloak documentation on logout says you must should redirect the browser to:
So ensure to redirect the browser to that address.
Example Code for Django
urlpatterns = [ ... path('logout', views.keycloak_logout, name='logout'), ]
from django.conf import settings from django.contrib import auth from django.http import request from django.http import HttpResponseRedirect from mozilla_django_oidc.utils import is_authenticated def get_logout_url(request): ''' Return the url of the logout for keycloak ''' keycloak_redirect_url = settings.OIDC_OP_LOGOUT_ENDPOINT or None return keycloak_redirect_url + "?redirect_uri=" + request.build_absolute_uri("/") def keycloak_logout(request): ''' Perform the logout of the app and redirect to keycloak ''' django_logout_url = settings.LOGOUT_REDIRECT_URL or '/' if is_authenticated(request.user): logout_url = get_logout_url(request) # Log out the Django user if they were logged in. auth.logout(request) return HttpResponseRedirect(logout_url)
OIDC_OP_LOGOUT_ENDPOINT = "http:///auth/realms/my-realm/protocol/openid-connect/logout" OIDC_OP_LOGOUT_URL_METHOD = "portal.views.keycloak_logout"
Single Sign Out Not Working
If single sign out is not working, make sure the certificates of the hosts you are using are valid
You will get an error in the keycloak logs if they do not work:
08:18:22,410 WARN [org.keycloak.protocol.saml.SamlProtocol] (default task-27) failed to send saml logout: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target