Keycloak, mod_auth_openidc, and back-channel logout

Question

Environment:

• Debian 8
• mod_auth_openidc 2.3.9
• Keycloak 4.4.0.Final
• Apache 2.4.10

Not sure whether this is a Keycloak or mod_auth_openidc question, but let's see where this takes us...

I am trying to get back-channel logout working with the above configuration. My understanding is that if I hit the mod_auth_openidc logout url (http://host/redirect_url?logout=http://host/...), this will in turn invoke the Keycloak SSO logout URL. And then this will call back on all RPs that support back-channel logout in order to give them the opportunity to kill there own sessions.

I've determined that the Keycloak logout URL is indeed invoked, but my app (which is protected using mod_auth_openidc) is never called back. I can see in the Keycloak log the following:

15:18:28,672 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-1) backchannel logout to: ultradev

15:18:28,675 DEBUG [org.keycloak.services.managers.ResourceAdminManager] (default task-1) Cant logout {0}: no logged adapter sessions

which indicates to me that mod_auth_openidc is not registered as a Keycloak "adapter." I'm also not sure whether Keycloak supports back-channel logout per the OpenIDC spec or whether this is there own proprietary mechanism. Keycloak does not advertise support for back-channel logout in their metadata endpoint.

In any case, my question boils down to: Is back-channel logout using mod_auth_openidc against Keycloak supported? I've found the Keycloak documentation on this to be somewhat confusing so it's entirely possible that I'm doing something wrong. Do I need to write a Keycloak adapter to make this work?

Just wondered whether any other mod_auth_openidc users have any experience here.

Thanks!

Answer 1

Currently Keycloak does not support OIDC backchannel logout yet; the spec is not final yet but an implementers draft only.