j-travis
commented
1 year ago Thanks for the feedback.
I think the main issue is that when we implemented OIDC, there was no official support or spec for front/back channel logout mechanism like you would find for SAML - so not many IdPs exposed that functionality. It looks like the 1.0 specs were released in September of 22.
We will look into this in future revisions.
A workaround for now would be to use SAML instead of OIDC.
asubowo
Existing Resources
Describe the bug OpenID integration with Keycloak doesn't seem to be initiating a front or back channel logout. After following the Kasm guide for Keycloak here, user login works as expected. No SSO issues are detected there. However when attempting to log out from Kasm,
/api/logoutis called and the user is sent to the static login page. However, if you click on the Keycloak SSO button on the screen will log you back in with the user that you authenticated with via Keycloak without being prompted for another login.Calling the manual realm logout following Keycloak's specs here will clear the SSO session as expected.
To Reproduce Steps to reproduce the behavior:
foo)fooagain.Expected behavior Clicking on logging out via Kasm web UI appropriately clears out SSO session
Screenshots If applicable, add screenshots to help explain your problem.
Workspaces Version Version 1.12, containerized
Workspaces Installation Method Single server
Client Browser (please complete the following information):
Workspace Server Information (please provide the output of the following commands):
uname -a:Linux kasmtest 5.19.0-35-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 3 18:36:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linuxcat /etc/os-release: Ubuntu Server 22.10 Kinetic Kudusudo docker info: version 23.0.1Additional context Followed Keycloak setup following Kasm guide. Tried setting a multitude of front-channel and back-channel URLs in the client with no luck.