Keycloak Logout Session Behavior Clarification

[nandish kumar]

Hi Team, I wanted to highlight a specific behavior we're observing in our Keycloak-based authentication and Application side authorization setup. Currently, when a user logs in to multiple applications (e.g., App1 and App2) using the same session, logging out from one application (App1) based on the app level configured idle time out every application results in the termination of the session across all applications, including App2. However, our requirement is to maintain session isolation per application. That is, when a user logs out from App1, the session in App2 should remain active. To achieve this, we propose that the logout redirection URL should be triggered only for the specific application initiating the logout, rather than invalidating all active client sessions. This change would help us preserve user experience and session continuity across applications while maintaining secure logout behavior.

Thanks

Nandish.

[Alexander Schwartz]

Hello Nandish,

The way to do what you ask for in the OpenID Connect standards is to revoke the refresh token. 

There was a time when this revoked all client sessions, but this is not the case any more with the recent versions of Keycloak - see https://github.com/keycloak/keycloak/issues/35486

Best,

Alexander

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/4606b804-32fe-4616-8254-2f884332285en%40googlegroups.com.

--

Alexander Schwartz, RHCE

He/Him

Principal Software Engineer, Keycloak Maintainer

alexander...@ibm.com

IBM Data Privacy Statement 

IBM Deutschland Research & Development GmbH

Vorsitzender des Aufsichtsrats: Wolfgang Wendt

Geschäftsführung: David Faller

Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294