WildFly SSO logout implementation using OIDC Back-channel logout

[Zeta]

Does Elytron OIDC client support OIDC Back-channel logout "out of the box"?

I would like to implement a SSO logout using WildFly 26.0.1 and Keycloak 17.0.1.

When a user logs out from one application I also want to log out from other applications

(invalidating the sessions) in the same WildFly server.

JakartaEE API does not support invalidating a session by a session ID...

Any suggestions?

[Farah Juma]

Back-channel logout isn't supported yet but is something that we are planning on adding. Keep an eye on the following issue and PR for updates about this:

https://issues.redhat.com/browse/ELY-2534

https://github.com/wildfly-security/wildfly-elytron/pull/1882

[Claudio Weiler]

Single sign out works, it just isn't immediate. You just need to wait for the token expiry (normally some minutes), and all applications will be logged out.

On your application, just call: HttpServletRequest.logout()

There could be some caveats with offline tokens...

> When a user logs out from one application I also want to log out from other applications (invalidating the sessions) in the same WildFly server.

KC SSO is based on KC session and cookies handling, it doesn't matters if your applications is on same server or not, or even on same domain.

[Zeta]

Hi Claudio!! First, thanks for your response...

The token expiration is not a valid approach for a Single Sign Out fired by a user who is requiring a logout from an application.

What about the refresh token? It could be used before the expiration to get a new access token, so there is no logout from other applications.

As Farah said 

> Back-channel logout isn't supported yet.

[Claudio Weiler]

Refresh token is used to get a new access token in a valid context. Authentication context is handled by KC, so, when you logout you actually logout from KC, later, when another app uses refresh token to get a new access token, a new authentication will be required.

See that I am not using new OIDC adapter, I'm still using KeyCloak adapter because of lack of authentication context propagation on EARs (fixed on WF 28 I think...). If OIDC adapter isn't acting like this, then this is probably a bug (OIDC adapter was build based on KC adapter), and is not related to back channel logout that is another feature.