I wanted to ask if there is a way to logout from keycloak
via a single http request.
I already tried to POST /protocol/openid-connect/logout
or /tokens/logout
, but the result is always a ORIGIN-Problem.
But the calling ORIGIN is configured in keycloak and the login with a request works.
Any chance here to logout without redirecting or open another window?
Best regards and thanks! :)
From the official documentation:
You can log out of a web application in multiple ways. For Java EE servlet containers, you can call
HttpServletRequest.logout()
.For other browser applications, you can redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
, which logs you out if you have an SSO session with your browser.
To get the exact URL of the app (host, realm and redirect_uri configuration):
If you are not creating your own adaptor, but using e.g. an OpenID certified library, you might want to use that library to logout, because otherwise, as ch271828n describes, you might logout from Keycloak but retain the session and access tokens...
In my case, I was using openresty and lua-resty-openidc
Accessing the keycloack logout url https://<keycloak-server>/auth/realms/<my-realm>/protocol/openid-connect/logout
(as detailed in @aName's answer) is done by lua after we access the opts.logout_path at https://<our-nginx-server>/service/logout
So after setting up everything correctly, all we have to do to logout is use the logout for our OpenID client at https://<our-nginx-server>/service/logout
. This will destroy the session and log us out both from the client and Keycloak.
I think I had to set opts.revoke_tokens_on_logout
to true
, Also note that from my experiments, for some reason, setting up a redirect_after_logout_uri
may result in the user not signing out due to redirections.
Here is an example of what I needed to have for nginx.conf to make this work....
location /myservice/ {
access_by_lua_block {
local opts = {
redirect_uri_path = "/myservice/auth",
discovery = "https://<keycloak-server>/auth/realms/<my-realm>/.well-known/openid-configuration",
client_id = "<my-client-id>",
client_secret = "<the-clients-secret>",
logout_path = "/service/logout",
revoke_tokens_on_logout = true,
session_contents = {id_token=true} -- this is essential for safari!
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
}
# I disbled caching so the browser won't cache the site.
expires 0;
add_header Cache-Control private;
proxy_pass http://my-service-server.cloud:port/some/path/;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With