Open jerasokcm opened 5 months ago
This plugin doesn't logout for the IDP it only logs out the current client. Site A and Site B have their own sessions. This would be the same thing if you used Google as your login method on some service and logged out of that service only to find that you've been logged out of Google everywhere on your machine.
Also, a word of note is that WordPress maintains it's own login. This plugin doesn't currently provide either Back-Channel or Front-Channel logout with the IDP, with the exception of when you configure the logout endpoint then it will logout out of that session at the IDP.
Excuse me if I'm overlooking something, but it seems that the behavior is not the expected.
I'm using Keycloak 24.0.4 as IDP. For testing, I'm using a couple of WordPress 6.5 sites. OpenID generic plugin 3.10.0 installed in both sites. Basic functionality works as expected.
Let's say I open the backend of site A in a browser. Keycloak login page appears and after entering credentials I get logged in. Then, in the same window, I open a new tab and go to the admin page of site B. As expected, I don't need credentials. I'm also logged in on site B. So far, so good. If I check Keycloak admin panel, I see the user in his realm with two active sessions for each client application.
Now, if I go to site A and click the logout link, I get logged out from that site. But on the other tab, if I refresh the page of site B, I see I'm still logged in there. I expect to be logged out from site B also. The Keycloak panel shows that the user has no active sessions, but the user still has a session on site B, until intentional logout is performed on that site.
Thanks in advance for your guidance.