How to get OIDC logout working with Keycloak?

Hi - I am trying to get OIDC logout working with a current Keycloak installation (KC 20). Neither rpInitiated nor backchannel are working properly.
In both configurations I get a 502 from Keycloak after clicking the logout button (URL https://<my-keycloak>/auth/realms/<my-realm>/protocol/openid-connect/auth?scope=openid+profile+email+address+phone&claims={"id_token":{"xwiki_instance_id":null},"userinfo":{"xwiki_user_accessibility":null,"xwiki_user_displayHiddenDocuments":null,"xwiki_user_editor":null,"xwiki_user_usertype":null,"xwiki_groups":null,"xwiki_user_company":null}}&response_type=code&redirect_uri=<my-xwiki>/oidc/authenticator/callback&state=sNO_Tldkeb20jLr_-9OUay-IZCXmEvkP2dVuzNceKJc&client_id=<my-client-id>) and I can only sign in again after manually terminating the Keycloka session by going to https://<my-keycloak>/auth/realms/<my-realm>/account/#/ and clicking the “Sign out” button.
Frontchannel logout in Keycloak is disabled for this client as advised.
Any help is appreciated!

Hi,

The best for your need would be to use the OIDC RP-initiated logout strategy. This is the only one I saw supported with Keycloak for now.

When you tried making the RP-initiated logout strategy, what was the logout endpoint that you defined ?

We recently helped an XWiki user setting-up RP-initiated logout on their Keycloak using the following configuration :

oidc.endpoint.logout=https://keycloak-domain/realms/<realm>/protocol/openid-connect/logout
oidc.logoutMechanism=rpInitiated

Your logout endpoint may be incorrect ; can you check ?

Thanks,
Clément

This is exactly the endpoint pattern that I configured:
oidc.endpoint.logout=https://<my-keycloak>/auth/realms/<my-realm>/protocol/openid-connect/logout

Do you know which Keycloak version the other user was running? There was a change in the behavior of the endpoint around Keycloak 16 (I think …).

And you have oidc.logoutMechanism=rpInitiated (which is not the default) ?

Do you know which Keycloak version the other user was running? There was a change in the behavior of the endpoint around Keycloak 16 (I think …).

Yup, they were using Keycloak 18.x (I don’t have the exact version number).

I tried both - but to be sure I will double-check.

Now we are getting at something - the IngressController has complaints. I will address this now and see if the error disappears.

ingress-nginx-controller-qzfxc controller 2023/01/13 06:51:01 [error] 3239#3239: *27689181 upstream sent too big header while reading response header from upstream, client: 2001:67c:2388:xxxx::xxxx, server: <my-keykloak>, request: "GET/auth/realms/<my-realm>/protocol/openid-connect/auth?scope=openid+profile+email+address+phone&claims={"id_token":{"xwiki_instance_id":null},"userinfo":{"xwiki_user_accessibility":null,"xwiki_user_displayHiddenDocuments":null,"xwiki_user_editor":null,"xwiki_user_usertype":null,"xwiki_groups":null,"xwiki_user_company":null}}&response_type=code&redirect_uri=https://<my-xwiki-instance>/oidc/authenticator/callback&state=dNNPmFCk3gecxqmgjIAg16OlfBaWOXGclOp4ng2ZoXk&client_id=<my-xwiki-clientid>HTTP/2.0",upstream:"http://<my-keykloak-internal-ip>/auth/realms/<my-realm>/protocol/openid-connect/auth?scope=openid+profile+email+address+phone&claims={"id_token":{"xwiki_instance_id":null},"userinfo":{"xwiki_user_accessibility":null,"xwiki_user_displayHiddenDocuments":null,"xwiki_user_editor":null,"xwiki_user_usertype":null,"xwiki_groups":null,"xwiki_user_company":null}}&response_type=code&redirect_uri=https://<my-xwiki-instance>/oidc/authenticator/callback&state=dNNPmFCk3gecxqmgjIAg16OlfBaWOXGclOp4ng2ZoXk&client_id=<my-xwiki-clientid>",host:"<my-keykloak>",referrer:"https://<my-xwiki-instance>/"
1 Like

That did the trick. After reconfiguring the ingress controller, the session on Keycloak is terminated successfully. Maybe this is worth mentioning somewhere for the next person struggling with this? This was the post that showed the right solution for me: Fixing Nginx "upstream sent too big header" error when running an ingress controller in Kubernetes

But now I am experiencing OIDC-128 - The session is terminated (checked by looking at the page https://<my-keycloak>/auth/realms/<my-realm>/account/#/ but I am redirected to XWiki where I am still logged in. As far as I can see there is already an open PR for that?

I am using XWiki 14.10.3 deployed on Kubernetes, together with Keycloak 20.0.1 If this helps, I can provide you logs from all components involved.

1 Like