Proper way to invoke the end_session_endpoint

1,741 views
Skip to first unread message

Brian Levine

unread,
Jun 17, 2021, 12:31:06 PM6/17/21
to Keycloak User

Environment: Keycloak 12.0.4

We plan to allow various OpenIDC-protected applications to initiate a "single sign-out" using Keycloak's end_session_endpoint. In our case, we'd like to provide our own URL that applications will hit when they want to sign-out. That URL will either programmatically invoke the end_session_endpoint via Javascript or simply redirect the user's browser to the end_session_endpoint.

The Keycloak documentation and examples I've seen so far are a bit confusing regarding how to invoke this endpoint. For example, do I need to add a query parameter with the id token as a value? (I noticed, for example, that mod_auth_openidc includes an id_token_hint query param.) I assume this call has to be authenticated, so do I include the client id/secret as the credentials?

Thanks!

Pedro Igor Craveiro e Silva

unread,
Jun 17, 2021, 3:26:18 PM6/17/21
to Brian Levine, Keycloak User
Hi,

You can look at https://openid.net/specs/openid-connect-session-1_0-17.html#RPLogout. From our implementation, we rely on either cookies or the id_token_hint to identify the user and logout sessions. So you don't necessarily need to send id_token_hint if cookies are sent when redirecting the user from your application to Keycloak. You can also send a state param to match if the logout action sent to your application originated from a valid logout request.

Note, however, that we don't force the id_token_hint and do not ask the user for confirmation, as per spec. But there are discussions to introduce a consent page.

In regards to logout, messages are sent to clients through the backchannel.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/b118df60-ff4d-41dd-b1f3-dc093a3a7a4cn%40googlegroups.com.

Brian Levine

unread,
Jun 17, 2021, 3:39:30 PM6/17/21
to Keycloak User
Thank Pedro.  Exactly the information I needed to know!

Brian

Fabrice G.

unread,
Jun 18, 2021, 3:46:00 PM6/18/21
to Keycloak User
Hi,

It seems that the OpenId Connect specification pointed by Pedro is a bit outdated . 

The specification about how to logout using the end_session_endpoint  is now https://openid.net/specs/openid-connect-rpinitiated-1_0.html.

Regards,

Fabrice

Brian Levine

unread,
Jun 18, 2021, 8:56:12 PM6/18/21
to Keycloak User
Thanks Fabrice. Very helpful.
Reply all
Reply to author
Forward
0 new messages