Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

1. Establish 3 active sessions of User1 using same client.
   

2. Change password of User1 from session1 using AIA and enable “Sign Out from other devices”

3. In Keycloak console, I see other sessions are removed, only one active session present (session from where password updated successfully) as expected.
   

4. But only one single backchannel logout request being performed to client, in that I see only one sid present in the Logout_Token. Client will terminate only this sid internally, another session info will not be cleaned up from client side.

It is impossible for the client to identify which of the sessions to actively terminate, as seemingly only one of the active sessions in Keycloak will be submitted as a backchannel logout request.

Version

25.0.0

Regression

• The issue is a regression

Expected behavior

I would have expected one request per session to get all three SID logout requests in the client

Actual behavior

Keycloak sending only one backchannel logout which has only one of these sid

How to Reproduce?

Same as mentioned in description

Anything else?

No response