Implement back-channel logout

[gluap]

Currently the logout correctly logs out of the OpenBikeSensor portal, but does not invalidate the keycloak login.

Expected behaviour:

• log in
• log out via logout on openbikesensor page
• click login again
• asked for password and username again

actual behaviour:

• log in
• log out via logout
• click login again
• logged into last logged in users session WITHOUT being asked for username and password

The problem with this is that there is currently no way for an user to invalidate their session.

This means that for instance when logging in from third party system the next user of that system may be able to access the users data without having to provide credentials.

[opatut]

There is a possibility of a so-called "backchannel logout" in keycloak, which is exactly this: The application, when ending the user session, sends the user agent to the auth server to terminate the session there as well.

It just needs to be implemented ;)

[gluap]

Yeah, I'm currently looking through keycloak documentation.

[opatut]

It might be that back-channel is actually the wrong name, I might be confused ;) https://openid.net/specs/openid-connect-backchannel-1_0.html

But there is a way ;)