Single Logout (SLO) does not work as expected between Keycloak and Grafana

shaiksaif279 · May 14, 2025, 12:02pm

Hi Community,

We are experiencing an issue where Single Logout (SLO) does not work as expected between Keycloak and Grafana.

Setup:
Keycloak version: 23.0.3

Grafana version: v10.3.3

use generic auth for configuring keycloak.

Logout URL configured in Grafana generic oauth:
“http://keycloak-server/realms/realm-name/protocol/openid-connect/logout?
post_logout_redirect_uri=grafana-server”

Expected Behavior:
Logging out from the Keycloak console ( any other client application) should
terminate all active sessions, including those in Grafana.

Actual Behavior:
Even after logging out from the Keycloak console:
Sedsion in Grafana remain active.

Steps to Reproduce:
Configure Grafana to authenticate via Keycloak using generic oauth.
Log in to grafana using Keycloak.
Log out from the Keycloak console (or another client).

Observe that Grafana server sessions are still active.

Is there any additional configuration required on the grafana side to properly support SLO?

Any help or guidance would be appreciated.
Thanks in advance

jangaraj · May 14, 2025, 12:09pm

That’s Back-Channel Logout, which is not implemented in the Grafana.

github.com/grafana/grafana

Back channel OIDC logout

opened 08:05AM - 12 Mar 24 UTC

hagaram

type/feature-request

Hello, lately RP initiated logout was iplemented in Grafana, which is great a…nd that you very much for that. What is still missing and I think is very important part of OIDC is backchannel logout: https://openid.net/specs/openid-connect-core-1_0.html#OpenID.BackChannel When offboarding a user for example, it would be nice to be able to logout user from SSO and the user would also be logged out from Grafana itself. Now we have to logout user separately, which kinda downgrades SSO usage. Other way I can think of would be that grafana checks if the user session in keycloak is still active and logout the user if its not. But thats not really a backchannel logout. Some software I've encountered handle it this way and it is good enough. But I havent found a way how to do this in Grafana either. Thank you very much.

shaiksaif279 · May 22, 2025, 1:29pm

Hi @jangaraj ,

Thank you for confirming that back-channel logout is not currently implemented in Grafana. Could you please let us know:

When will this feature be implemented?
Is it on the development backlog?

Your guidance on this matter is crucial for our furture development

Best regards
Saif

jangaraj · May 22, 2025, 1:55pm

I know nothing about it. I’m not a Grafana employee, so I don’t have any access to those plans.

Topic		Replies	Views
Single sign out Authentication	14	11083	October 14, 2024
Using generic oAuth - the grafana local session remain active even though the session in the oAuth service is ended Authentication	1	1288	June 7, 2023
Grafana backchannel logout when connected to SSO or workaround Authentication	1	358	March 11, 2024
OAuth2/OpenID Sign Out (Grafana + Keycloak) Authentication	11	10958	April 12, 2019
Oauth sign-out issue. After signing out login automatically Authentication azure , oauth , azure-ad	6	3363	August 11, 2023

Single Logout (SLO) does not work as expected between Keycloak and Grafana

Related topics