Back channel logout

[pohjamat]

Hi,

I use mod_auth_openidc and Keycloak 19.0.2 to integrate to identity provider. To Keycloak client section I have configured back channel logout url: https://gateway:443/api/logout/backchannel
When I logout other service from identity provider, it sends logout request to keycloak, this part works.
But my mod_auth_openidc configuration is probably wrong, I cannot see any backchannel logout claims in apache log.
Login flow works, also logout flow from my ui. But back channel logout initiated by identity provider I cannot get working.
How support for backchannel logout should be configured to mod_auth_openidc?

thanks in advance!
regards, Matti

Here's my configuration:
<VirtualHost *:443>
ServerName localhost
LogLevel debug
#DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /certs/apache-selfsigned.crt
SSLCertificateKeyFile /certs/apache-selfsigned.key

# mod_auth_openidc config
OIDCProviderMetadataURL ${OIDC_METADATA_URL}
OIDCClientID ${OIDC_CLIENT_ID}
OIDCClientSecret ${OIDC_CLIENT_SECRET}
OIDCSSLValidateServer Off

OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
OIDCScope ${OIDC_SCOPE}
OIDCResponseType code
OIDCRedirectURI /redirect

# Common config for all URLs
<Location "/">
	# Require oidc authentication
	AuthType openid-connect
	Require expr %{REQUEST_URI} =~ m#^/loggedout#
	Require expr %{REQUEST_URI} =~ m#^/api/logout/backchannel#
	Require valid-user
</Location>
ProxyPreserveHost On
# Proxy to backend ...
    # Proxy to frontend ...

In apache log there's following when identity provider initiates logout through keycloak:
[Tue Oct 04 11:09:27.573537 2022] [ssl:info] [pid 23:tid 139961911211584] [client x.x.x.x:54050] AH01964: Connection to child 79 established (server localhost:443)
[Tue Oct 04 11:09:27.573804 2022] [ssl:debug] [pid 23:tid 139961911211584] ssl_engine_kernel.c(2425): [client x.x.x.x:54050] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Tue Oct 04 11:09:27.580887 2022] [ssl:debug] [pid 23:tid 139961911211584] ssl_engine_kernel.c(2254): [client x.x.x.x:54050] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
[Tue Oct 04 11:09:27.581094 2022] [socache_shmcb:debug] [pid 23:tid 139961911211584] mod_socache_shmcb.c(508): AH00831: socache_shmcb_store (0x6d -> subcache 13)
[Tue Oct 04 11:09:27.581127 2022] [socache_shmcb:debug] [pid 23:tid 139961911211584] mod_socache_shmcb.c(862): AH00847: insert happened at idx=0, data=(0:32)
[Tue Oct 04 11:09:27.581134 2022] [socache_shmcb:debug] [pid 23:tid 139961911211584] mod_socache_shmcb.c(865): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/194
[Tue Oct 04 11:09:27.581140 2022] [socache_shmcb:debug] [pid 23:tid 139961911211584] mod_socache_shmcb.c(530): AH00834: leaving socache_shmcb_store successfully
[Tue Oct 04 11:09:27.581288 2022] [socache_shmcb:debug] [pid 23:tid 139961911211584] mod_socache_shmcb.c(508): AH00831: socache_shmcb_store (0x84 -> subcache 4)
[Tue Oct 04 11:09:27.581301 2022] [socache_shmcb:debug] [pid 23:tid 139961911211584] mod_socache_shmcb.c(862): AH00847: insert happened at idx=1, data=(203:235)
[Tue Oct 04 11:09:27.581306 2022] [socache_shmcb:debug] [pid 23:tid 139961911211584] mod_socache_shmcb.c(865): AH00848: finished insert, subcache: idx_pos/idx_used=0/2, data_pos/data_used=0/397
[Tue Oct 04 11:09:27.581311 2022] [socache_shmcb:debug] [pid 23:tid 139961911211584] mod_socache_shmcb.c(530): AH00834: leaving socache_shmcb_store successfully
[Tue Oct 04 11:09:27.588930 2022] [ssl:debug] [pid 23:tid 139961911211584] ssl_engine_kernel.c(415): [client x.x.x.x:54050] AH02034: Initial (No.1) HTTPS request received for child 79 (server localhost:443)
[Tue Oct 04 11:09:27.589003 2022] [authz_core:debug] [pid 23:tid 139961911211584] mod_authz_core.c(815): [client x.x.x.x:54050] AH01626: authorization result of Require expr %{REQUEST_URI} =~ m#^/loggedout#: denied
[Tue Oct 04 11:09:27.589024 2022] [authz_core:debug] [pid 23:tid 139961911211584] mod_authz_core.c(815): [client x.x.x.x:54050] AH01626: authorization result of Require expr %{REQUEST_URI} =~ m#^/api/logout/backchannel#: granted
[Tue Oct 04 11:09:27.589031 2022] [authz_core:debug] [pid 23:tid 139961911211584] mod_authz_core.c(815): [client x.x.x.x:54050] AH01626: authorization result of : granted
[Tue Oct 04 11:09:27.589202 2022] [auth_openidc:debug] [pid 23:tid 139961911211584] src/util.c(2473): [client x.x.x.x:54050] oidc_util_hdr_in_get: Host=gateway:443
[Tue Oct 04 11:09:27.589217 2022] [auth_openidc:debug] [pid 23:tid 139961911211584] src/util.c(2473): [client x.x.x.x:54050] oidc_util_hdr_in_get: Host=gateway:443
[Tue Oct 04 11:09:27.589223 2022] [auth_openidc:debug] [pid 23:tid 139961911211584] src/util.c(649): [client x.x.x.x:54050] oidc_get_redirect_uri: determined absolute redirect uri: https://gateway:443/redirect
[Tue Oct 04 11:09:27.589228 2022] [auth_openidc:debug] [pid 23:tid 139961911211584] src/util.c(1388): [client x.x.x.x:54050] oidc_util_request_matches_url: comparing "/api/logout/backchannel"=="/redirect"
[Tue Oct 04 11:09:27.589234 2022] [proxy:debug] [pid 23:tid 139961911211584] mod_proxy.c(1503): [client x.x.x.x:54050] AH01143: Running scheme http handler (attempt 0)
[Tue Oct 04 11:09:27.589239 2022] [proxy:debug] [pid 23:tid 139961911211584] proxy_util.c(2531): AH00942: http: has acquired connection for (host.docker.internal)
[Tue Oct 04 11:09:27.589244 2022] [proxy:debug] [pid 23:tid 139961911211584] proxy_util.c(2587): [client x.x.x.x:54050] AH00944: connecting http://host.docker.internal:8102/test/api/logout/backchannel to host.docker.internal:8102
[Tue Oct 04 11:09:27.589260 2022] [proxy:debug] [pid 23:tid 139961911211584] proxy_util.c(2810): [client x.x.x.x:54050] AH00947: connected /test/api/logout/backchannel to host.docker.internal:8102
[Tue Oct 04 11:09:27.657464 2022] [proxy:debug] [pid 23:tid 139961911211584] proxy_util.c(2546): AH00943: http: has released connection for (host.docker.internal)

[zandbelt]

from where did you get the value of the module's backchannel logout URL /api/logout/backchannel ?

[pohjamat]

The backchannel logout url is end point of my spring boot application. Configuration has following:
ProxyPass "/api/logout/backchannel" "http://host.docker.internal:8102/test/api/logout/backchannel"
Obviously this was a wrong guess what to put to keycloak as backchannel url.

[zandbelt]

for killing mod_auth_openidc's session via a backchannel call, the request needs to come in to <redirect_uri>?logout=backchannel as mentioned here https://github.com/zmartzone/mod_auth_openidc/wiki/OpenID-Connect-Session-Management#back-channel-logout

[pohjamat]

Ok, I try with https://gateway:443/redirect?logout=backchannel

Thank you for your help!

[pohjamat]

Changing configuration in keycloak by suggested way looks promising. Now I can see in keycloak log:
logout success for https://gateway:443/redirect?logout=backchannel: true

When refreshing browser after backchannel logout it goes to login sequence.
This seems to be way forward. Thank you for your help!