Keycloak logout

[Emma Richardson]

From the documentation, it appears that when a user logs out from a client, it should end their keycloak session and they should also be redirected to the keycloak logout page.  This is not working on any of my clients (openid and saml) and I am wondering if I have a setting wrong or if I am misunderstanding the documentation.  If there a specific set up option you have to select to get this to work?

Would appreciate any help.

[Gustavo J Gallardo]

Hi Emma,

in OpenID Connect, your Client must implement OIDC Logout (https://openid.net/specs/openid-connect-rpinitiated-1_0.html)

Most OIDC Clients and libraries should have this implemented.

Basically, after killing the local session, the RP must redirect the user to the end_session_endpoint, with id_token_hint and post_logout_redirect_uri parameters.

HTH,

Gustavo

On Fri, Dec 9, 2022 at 10:12 AM Emma Richardson <emm...@gmail.com> wrote:

From the documentation, it appears that when a user logs out from a client, it should end their keycloak session and they should also be redirected to the keycloak logout page.  This is not working on any of my clients (openid and saml) and I am wondering if I have a setting wrong or if I am misunderstanding the documentation.  If there a specific set up option you have to select to get this to work?

Would appreciate any help.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/a75857d8-ba1e-4dbc-9472-d235d0856603n%40googlegroups.com.

[Emma Richardson]

So, I have it sort of working.  On the clients that support it, it is now working.  I am really not sure what changed but it works.  The one site I am struggling with is a Moodle site and there OIDC connection does not have an option for Idp logout.  I have created a workaround by redirecting the site login to the keycloak oidc endpoint.  This actually works as I want but is throwing an error on the keycloak server (Logout for client 'MyMoodleSite' failed: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPath) - even though the keycloak server error states that logout failed, it did not fail and the user is logged out of both website and keycloak as wanted...I am presuming that it is due to the lack of id_token_hint...