Logout on xwiki while using keycloak / OIDC

sbernhard · May 16, 2020, 8:23pm

I’m using keycloak with xwiki using the OpenID Connect extension. Login works pretty good but unfortunately I’m not able to get logout working. If I press logout on xwiki the user will not be logged out but redirected to the current shown xwiki page.

On the keycloak UI I still can see that there is a session for the user.

Further question would be, if a “single log out” should work - means, is the user immediately logged out on xwiki if the user is logged out on a different application which is connected to keycloak, too (and the keycloak session is destroyed for this user).

sbernhard · May 17, 2020, 7:03pm

I guess, the “common” xwiki logout must also send a “logout” to the openid connector like this:
https://keycloak-url/auth/realms/MYREALM/protocol/openid-connect/logout

Is this somehow possible to adapt without changing the code?

tmortagne · May 18, 2020, 7:22am

Yes this is most probably the problem since right now the authenticator only logout on XWiki side (but indeed if you access a page which is not public then you end up being automatically authenticated again).

Supporting this will definitely need code to be written.

sbernhard · May 18, 2020, 7:32am

Hi @tmortagne

Thank you very much for your quick answer. I’m a developer and I guess it wouldn’t be to hard to add such functionality. Unfortunately, I don’t have a build / test environment.

I would do it somehow like this:

add a new logout endpoint to xwiki.properties:
oidc.endpoint.logout=https://keycloak-url/auth/realms/MYREALM/protocol/openid-connect/logout
In case this is configured, send request to this logout endpoint in the oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/OIDCUserManager.java public void logout() method

what do you think?

tmortagne · May 18, 2020, 7:35am

Sounds good yes. Just a detail: this code should redirect the user and not send an HTTP request.

Ha maybe not actually, looks like the logout can be done by the relying party too. There is a com.nimbusds.openid.connect.sdk.LogoutRequest helper you can use it seems.

sbernhard · May 18, 2020, 8:31am

Oh, than its much more difficult if a redirect should be used.
What would happen if the LogoutRequest would be send in the logout() method in OIDCUserManager?

tmortagne · May 18, 2020, 9:51am

That’s what I tough initially since that’s usually how OIDC works (you make the user do stuff) but read the second part of my previous message.

clemens.doerfler · May 28, 2020, 7:28am

I have the same Problem and i tried
oidc.endpoint.logout=[site]/auth/realms/aerobase/protocol/openid-connect/logout
in xwiki.properties, but can´t log out.

I´m very interested in a solution for this Problem.

tmortagne · May 28, 2020, 8:10am

@sbernhard started working on exactly this in https://github.com/xwiki-contrib/oidc/pull/5

sbernhard · June 24, 2020, 11:08pm

Unfortunately, I’m not able to test it as it looks like, keycloak doesn’t support the RP initiated logout with OIDC. If someone else want to test it, please have a look at the github PR. If necessary, I can provide the compiled *.jar files which needs to be used.

jwielsch · July 7, 2020, 12:25pm

It is just a workaround, but perhaps it’ll help in the meantime:

edit the drawer.vm in the /skins/flamingo folder, find the line #1 with XWikiLogout and change #2 (see following picture) to the Keycloak OpenID Logout URL “https://keycloak-url/auth/realms/MYREALM/protocol/openid-connect/logout”.

In my deb-installation the folder is located here: /usr/lib/xwiki/skins/flamingo

Check the syntax, as you must begin directly after the xredirect= an end after URL)

For me this works now for some months. You have to edit it again after an update.

clemens.doerfler · July 7, 2020, 2:38pm

It should be possible to fix this problem. Keycloak is not so small, that this is irrelevant.
When RP-initiated logout is not possible, then we need another solution.

We try this “Workaround” but we need a right Solution for this Problem.
With this, no local user (admin) can logout from the Wiki.

jwielsch · July 8, 2020, 12:06pm

Perhaps this can help - but it is just another workaround:

Give the local admins this link:

https://WIKI-ADDRESS/bin/logout/XWiki/XWikiLogout?xredirect=%2Fbin%2Fview%2FMain%2F

If they open this link in the same browser, they should be logged out. But i did not try this!!

xwikiman · November 23, 2020, 6:04pm

I’ve successfully authenticated xwiki with Okta OIDC, but since there is no logout, this renders the OIDC interface unusable/impractical for production use or am I missing something? Did I miss the documentation on the proper URL to call for logout or is the logout function still missing?

It was pretty straight forward to set up with Okta once I figured out the proper login URI. Here is the login redirect URI I used with Okta that got me in:

http://<your_URL_here>:80/oidc/authenticator/callback

<your_URL_here> would be something like wiki.domainname.com

sbernhard · December 3, 2020, 10:38pm

First of all, I found a cool addition to enter a redirect uri to the logout scheme:
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri ,

Unfortunately, the whole logout process doesn’t work right now in keycloak. Don’t know why. Maybe related because of using SAML authentication on keycloak for another app, too.

jwielsch · December 4, 2020, 4:15am

Hi @sbernhard

find the drawer.vm in the /skins/flamingo folder an edit it. search the line with <a href="$xwiki.getURL('XWiki.XWikiLogout', at the beginning. Edit the following and change the whole line:

<a href="$xwiki.getURL('XWiki.XWikiLogout', 'logout', "xredirect=https://KEYCLOAK-SERVER/auth/realms/master/protocol/openid-connect/logout?redirect_uri=ADDRESS_TO_BE_SHOWN_AFTER_LOGOUT"")" id="tmLogout" rel="nofollow">$services.icon.renderHTML('log-out') $escapetool.xml($services.localization.render('logout'))</a>

Afterwards no reboot is needed. Just reload a page.

Logout will work without problems. I use this for some month now witout problems.

Remember to edit it again, after an update!

jwielsch · December 4, 2020, 6:58am

Hmm. I use SAML for Nextcloud and Wordpress - and OpenID for Wekan and XWiki. For me it works great.

sbernhard · December 20, 2020, 8:18am

Works. Thank you very much.

MartinBuber · January 19, 2021, 12:56am

Hi all, my workaround is essentially that described by @jwielsch and @sbernhard at post #16, however, I used the Administer Wiki tools to override drawer.vm in my xwiki’s active skin, rather than edit the file directly on the server – hopefully this step means the change will persist across upgrades etc.

Logged in as an administrator > Drawer > Administer Wiki > Look & Feel > Themes > Skin > Customize > Edit this skin > Add a new overriding template names drawer.vm > paste the full contents from server-side file with relevant edit described above > Save

Also, in my case, the location server-side was /usr/local/tomcat/webapps/ROOT/skins/flamingo/drawer.vm
(I’m running the Docker image xwiki:lts-mysql-tomcat)

The above is with the line
oidc.endpoint.logout=https://KEYCLOAKSERVER/auth/realms/demo/protocol/openid-connect/logout
commented out in xwiki.properties. I tried with this line active but I did not see a change in behavior.

jwielsch · January 21, 2021, 8:44am

@MartinBuber

Just for the record: Does ist work? If yes, one should update the official documentation.