I am testing a scenario where I have my Keycloak run as a broker (KC1) on a server where my application runs. I've configured another Keycloak server as an external IdP(KC2) on a different server. Both Keycloaks are of version 26.0.1. Communication is done via SSL, with keystores an truststores on each side. KC1 runs with --features=transient-users. For this feature to work, I also modified the default first broker login flow to disable the Review Profile, since I am not interested in creating a copy of the users that login from KC2. Also, in my IdP definition of KC2, I also have Do not store users: ON. All this works as expected.
The general flow is this:
A User is accessing my application's URL: https://myserver1:45002/myApp
myApp has a SpringBoot back-end with Angular front-end. The application.yml file contains my KC1 realm details: issuer-uri: https://myserver1:45003/realms/myRealm scope: openid client-id: myClientApp
My application will redirect the user from https://myserver1:45002/myApp to https://myserver1:45003/realms/myRealm/protocol/openid-connect/auth... login page.
Now, I am in the KC1 login in page. I can choose to enter some credentials to use with the default KC1 or access my external IdP for login. Using my KC1 works as expected. Upon successful login, I am redirected to my application, KC1 will create a session that I can see in the admin console (and authorization and refresh tokens in the browser), and when I log out, the authorization token and refresh tokens are revoked, and my session from KC1 is removed. All is working as intended. When I click on using my KC2 external IdP, I am redirected, as expected to: https://myserver2:45003/realms/myRealm/protocol/openid-connect/auth... Now, I am in the KC2 login page. I can enter credentials for users from KC2. After myServer2 authenticates the user, I am redirected back to KC1 and further to my application, as expected. I can see that KC1 generated the authentication and refresh token. I can see the new session for the transient user in KC1. I can also see the regular session of my user in my KC2 admin console. When I log out however, the transient session for this user in KC1 is removed, tokens are removed from browser, but the session for this user remains active in KC2. I also want to remove this session too, when logging out of my application.
I have used all possible backchannel configs available in my configurations below, but for some reason, when I log out, KC1 will not send a request to KC2 for logout. I checked both servers logs. I enabled TRACE level. When I log out, there is no activity on KC2. There are no errors in my browser console or in my application back-end.
myClientApp client from KC1 ->myRealm has the following configs:
Client ID: myClientApp
Root URL: https://myserver1:45002/myApp
Home URL: https://myserver1:45002/myApp
Valid redirect URIs: https://myserver1:45002/*
Valid post logout redirect URIs: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout
Web origins: https://myserver1:45002/
Admin URL: https://myserver1:45002/myApp
Authentication flow: Standard flow and Direct access grants
Logout settings: Front channel logout: OFF Backchannel logout URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout
Backchannel logout session required: ON
Backchannel logout revoke offline sessions: ON
My IdP definition for KC2 as external IdP, from KC1 Identity Providers:
Redirect URI: https://myserver1:45003/realms/myRealm/broker/KC2-IdP/endpoint
Alias and Display name has the same value: KC2-IdP
Authorization URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/auth
Token URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/token
Logout URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout
User Info URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/user-info
Issuer: https://myserver2:45003/realms/myRealm-myServer2/
Validate Signature: ON
USE JWKS URL: ON
JWKS URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/certs
Use PKCE: OFF
Client Authentication: Client secret sent as post
Client ID: KC2-IdP (this is the client name defined in my KC2 -> myRealm-myServer2 realm. It has the same name as the IdP definition of external KC2 from KC1 Identity Providers)
Client secret: ******* (the secret I copied and pasted, of the KC2-IdP client from KC2, myRealm-myServer2)
In Advanced settings toggle menu, I have put Backchannel logout to ON. The rest of the options are set to off.
Everything else is set to OFF, except Do not store users, which is ON.
Lastly, my KC2-IdP client from KC2 server, myRealm-myServer2 realm:
client ID: KC2-IdP
Root URL: blank
Home URL: blank
Valid redirect URIs: https://myserver1:45003/*
Valid post logout redirect URIs: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout
Web origins: *
Admin URL: blank
Client authentication: ON
Authentication flow: Standard flow and Direct access grants
Logout settings:
Front channel logout: OFF
Backchannel logout URL: https://myserver2:45003/realms/myRealm-myServer2/protocol/openid-connect/logout
Backchannel logout session required: ON
Backchannel logout revoke offline sessions: ON
I've tried for days to understand what mistake I've made with this configurations, but everything I've tried, It never worked. Any help or Idea I can try is welcomed.
Thank you.