Keycloak User Logout

Question

I'm having trouble to allow users to logout from an application that uses Keycloak for access management.

I have found this topic being discussed here and there, but not clear instructions on how to handle the logout.

I tried to cause the logout of an user redirecting the browser to an endpoint of the following format:

https://example.com/auth/realms/myrealm/protocol/openid-connect/logout?id_token_hint=mytoken&post_logout_redirect_uri=https://example.com/initialpage/

What I used as "mytoken" was the access_token I had obtained making a post request to the endpoint:

https://example.com/auth/realms/playipintern/protocol/openid-connect/token

passing to it parameters like the ones bellow:

grant_type="authorization_code" 
code=code_obtained_from_a_url_to_which_keycloak_redirected_the_browser 
client_id=client_id_created_using_key_cloak_gui 
redirect_uri=the_to_which_keycloak_redirected_the_browser

and reading the body of the response. The content of the body was a json, like the one bellow:

{
    'access_token': 'long_token_I_used_latter_as_token_hint_trying_to_logout', 
    'expires_in': 300, 
    'refresh_expires_in': 1800, 
    'refresh_token': 'other_long_token', 
    'token_type': 'bearer', 
    'not-before-policy': 0, 
    'session_state': 'a_shorter_code', 
    'scope': 'email profile'
}

My logout attempt resulted in the following message in Keycloaks log:

22:53:51,686 WARN [org.keycloak.events] (default task-24) type=LOGOUT_ERROR, realmId=playipintern, clientId=null, userId=null, ipAddress=192.168.16.1, error=invalid_token

and the response said "We are sorry, session not active".

Now I'm aware that I should have used the id_token and not the access_token to logout, but received no id_token in the json.

Somewhere, someone said I should have included

scope=openid

in the parameters that I used to obtain the token. I did it, expecting to find an "id_token" field in the json, but nothing changed.

Someone else reported to have needed to create a scope (I believe using Keycloak's GUI) named "openid" to obtain the token. That didn't make much sense to me, but I tried it anyway and added the just created scope to the client scopes using Keycloak's GUI again. Oncemore, the json didn't change.

I tried to use the refresh_token as the id_token, but that also resulted in an invalid token message.

I don't know what to try now. Any help is appreciated.

Thank you.

Answer 1

There are 2 ways to logout from keycloack

1. Logout by user id.

In this case will clear all the available sessions

POST: {{Base_URL}}/admin/realms/{{Realm_name}}/users/bac5ae23-9ad6-4bb5-88b4-70f1b83a416a/logout

2. Logout using refresh token This will clear just the ongoing session for that user

   POST: {{Base_URL}}/realms/{{Realm_name}}/protocol/openid-connect/logout

Note: Refresh token is given with keycloak login response