Keycloak Logout Request

Solution 1

From the official documentation:

You can log out of a web application in multiple ways. For Java EE servlet containers, you can call HttpServletRequest.logout().

For other browser applications, you can redirect the browser to http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri, which logs you out if you have an SSO session with your browser.

To get the exact URL of the app (host, realm and redirect_uri configuration):

• Log in to your Keycloak user account
• Open up the developer console of the browser
• Perform the logout operation
• Note down the URL that was used to request for logout
• Use the same URL from your application to perform the logout

Solution 2

If you are not creating your own adaptor, but using e.g. an OpenID certified library, you might want to use that library to logout, because otherwise, as ch271828n describes, you might logout from Keycloak but retain the session and access tokens...

In my case, I was using openresty and lua-resty-openidc

Accessing the keycloack logout url https://<keycloak-server>/auth/realms/<my-realm>/protocol/openid-connect/logout (as detailed in @aName's answer) is done by lua after we access the opts.logout_path at https://<our-nginx-server>/service/logout

So after setting up everything correctly, all we have to do to logout is use the logout for our OpenID client at https://<our-nginx-server>/service/logout. This will destroy the session and log us out both from the client and Keycloak.

I think I had to set opts.revoke_tokens_on_logout to true, Also note that from my experiments, for some reason, setting up a redirect_after_logout_uri may result in the user not signing out due to redirections.

Here is an example of what I needed to have for nginx.conf to make this work....

location /myservice/ {

    access_by_lua_block {
        local opts = {
            redirect_uri_path = "/myservice/auth",
            discovery = "https://<keycloak-server>/auth/realms/<my-realm>/.well-known/openid-configuration",
            client_id = "<my-client-id>",
            client_secret = "<the-clients-secret>",
            logout_path = "/service/logout",
            revoke_tokens_on_logout = true,
            session_contents = {id_token=true} -- this is essential for safari!
        }
        -- call introspect for OAuth 2.0 Bearer Access Token validation
        local res, err = require("resty.openidc").authenticate(opts)

        if err then
            ngx.status = 403
            ngx.say(err)
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end
    }

    # I disbled caching so the browser won't cache the site.
    expires           0;
    add_header        Cache-Control private;

    proxy_pass http://my-service-server.cloud:port/some/path/;
    proxy_set_header Host $http_host;

    proxy_http_version 1.1;
    proxy_redirect off;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

Author by

Stack

Updated on July 09, 2022