How to configure Backchannel Logout?

[Björn Eickvonder]

I use Keycloak 15.0.2 and for testing I have setup 3 realms: A, B and backend.

I have connected A->backend and B->backend with individual broker clients A and B in the backend realm.

In the OpenId Connect Config I enabled Backchannel Logout. If I now log into A and B (for testing purposes just the security admin console), I have sessions in A, B and backend.

If I now logout from A, my session is removed in A and the backend, but it is not gone in B? What do I miss that I will get logged out in B as well?

I tried setting Backchannel Logout URL in the backchannel client A to http://localhost:8080/auth/realms/A/protocol/openid-connect/logout and in the client B to http://localhost:8080/auth/realms/B/protocol/openid-connect/logout

But this seems to have no effect.

[Fabrice G.]

Hi,

Realms are intended to isolate authentication contexts one from the others.

IHMO, if you setup a single realm with 3 clients A,B and backend and define backchannel  logout url for each as needed (e.g. https://my.app.a.com/logout) , it  will work just fine and be easier to managed.

Regards,