Logout on xwiki while using keycloak / OIDC

I’m using keycloak with xwiki using the OpenID Connect extension. Login works pretty good but unfortunately I’m not able to get logout working. If I press logout on xwiki the user will not be logged out but redirected to the current shown xwiki page.

On the keycloak UI I still can see that there is a session for the user.

Further question would be, if a “single log out” should work - means, is the user immediately logged out on xwiki if the user is logged out on a different application which is connected to keycloak, too (and the keycloak session is destroyed for this user).

I guess, the “common” xwiki logout must also send a “logout” to the openid connector like this:
https://keycloak-url/auth/realms/MYREALM/protocol/openid-connect/logout

Is this somehow possible to adapt without changing the code?

Yes this is most probably the problem since right now the authenticator only logout on XWiki side (but indeed if you access a page which is not public then you end up being automatically authenticated again).

Supporting this will definitely need code to be written.

Hi @tmortagne

Thank you very much for your quick answer. I’m a developer and I guess it wouldn’t be to hard to add such functionality. Unfortunately, I don’t have a build / test environment.

I would do it somehow like this:

  • add a new logout endpoint to xwiki.properties:
    oidc.endpoint.logout=https://keycloak-url/auth/realms/MYREALM/protocol/openid-connect/logout
  • In case this is configured, send request to this logout endpoint in the oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/OIDCUserManager.java public void logout() method

what do you think?

Sounds good yes. Just a detail: this code should redirect the user and not send an HTTP request.

Ha maybe not actually, looks like the logout can be done by the relying party too. There is a com.nimbusds.openid.connect.sdk.LogoutRequest helper you can use it seems.

Oh, than its much more difficult if a redirect should be used.
What would happen if the LogoutRequest would be send in the logout() method in OIDCUserManager?

That’s what I tough initially since that’s usually how OIDC works (you make the user do stuff) but read the second part of my previous message.

I have the same Problem and i tried
oidc.endpoint.logout=[site]/auth/realms/aerobase/protocol/openid-connect/logout
in xwiki.properties, but can´t log out.

I´m very interested in a solution for this Problem.

@sbernhard started working on exactly this in https://github.com/xwiki-contrib/oidc/pull/5