You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For reference, this is what I've done in the time being to get this to work with Keycloak:
## Keycloak Backchannel Logoutfromallauth.socialaccount.modelsimportSocialAccountfromdjango.httpimportHttpResponse, HttpRequestfromdjango.views.decorators.csrfimportcsrf_exemptfromdjango.contrib.sessions.modelsimportSessionfromimportlibimportimport_moduleimportjwtdefinit_session(session_key):
""" Initialize same session as done for ``SessionMiddleware``. """engine=import_module(settings.SESSION_ENGINE)
returnengine.SessionStore(session_key)
@csrf_exemptdefbackchannel_logout(request):
''' Keycloak is set to send a POST request to this route if a user logs out via another application, such as Superset. This function will ensure the user is logged out of this app as well. '''# First run a bunch of checks to make sure that the request is validifrequest.method!='POST': returnHttpResponse(status=405)
ifsettings.KEYCLOAK_PUBLIC_KEY==None: returnHttpResponse(status=501)
t=request.POST['logout_token']
try:
decoded=jwt.decode(t, key=settings.KEYCLOAK_PUBLIC_KEY, algorithms=['RS256', ], audience=settings.KEYCLOAK_APPS)
uid=decoded['sub']
aud=decoded['aud']
exceptExceptionase:
logger.error(f"Backchannel logout failed: {e}")
returnHttpResponse(406)
ifnotSocialAccount.objects.filter(uid=uid).exists():
logger.warning(f"User {uid} does not exist in this application.")
returnHttpResponse(406)
# If we made it this far, then the request checks out. Continue to log user out.fromdjango.contrib.authimportlogoutuser=SocialAccount.objects.get(uid=uid).usersessions= [sforsinSession.objects.all() ifs.get_decoded().get('_auth_user_id') ==str(user.id)]
request=HttpRequest()
forsessioninsessions:
request.session=init_session(session.session_key)
logout(request)
iflen(sessions) !=0: logger.debug("{user.username} has been logged out by {aud}")
returnHttpResponse(status=200)
The text was updated successfully, but these errors were encountered:
@pennersr , I managed to get it working, allauth is flawless here 😁
What I'm unsure of is the keycloak side
There is a concept of client scopes and groups that you can attach additional attributes. It's complex and depends on user experience rather than documentation. Was hoping to hear how others django users are doing these.
Are there any plans to add backchannel logouts to this library?
I have a collection of applications that use one oidc provider. When a user logs out of one app I'd like for them to be logged out of the others.
https://openid.net/specs/openid-connect-backchannel-1_0.html#BCRequest
For reference, this is what I've done in the time being to get this to work with Keycloak:
The text was updated successfully, but these errors were encountered: