Logout on xwiki while using keycloak / OIDC

I’m using keycloak with xwiki using the OpenID Connect extension. Login works pretty good but unfortunately I’m not able to get logout working. If I press logout on xwiki the user will not be logged out but redirected to the current shown xwiki page.

On the keycloak UI I still can see that there is a session for the user.

Further question would be, if a “single log out” should work - means, is the user immediately logged out on xwiki if the user is logged out on a different application which is connected to keycloak, too (and the keycloak session is destroyed for this user).

I guess, the “common” xwiki logout must also send a “logout” to the openid connector like this:

Is this somehow possible to adapt without changing the code?

Yes this is most probably the problem since right now the authenticator only logout on XWiki side (but indeed if you access a page which is not public then you end up being automatically authenticated again).

Supporting this will definitely need code to be written.

Hi @tmortagne

Thank you very much for your quick answer. I’m a developer and I guess it wouldn’t be to hard to add such functionality. Unfortunately, I don’t have a build / test environment.

I would do it somehow like this:

  • add a new logout endpoint to xwiki.properties:
  • In case this is configured, send request to this logout endpoint in the oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/OIDCUserManager.java public void logout() method

what do you think?

Sounds good yes. Just a detail: this code should redirect the user and not send an HTTP request.

Ha maybe not actually, looks like the logout can be done by the relying party too. There is a com.nimbusds.openid.connect.sdk.LogoutRequest helper you can use it seems.

Oh, than its much more difficult if a redirect should be used.
What would happen if the LogoutRequest would be send in the logout() method in OIDCUserManager?

That’s what I tough initially since that’s usually how OIDC works (you make the user do stuff) but read the second part of my previous message.

I have the same Problem and i tried
in xwiki.properties, but can´t log out.

I´m very interested in a solution for this Problem.

@sbernhard started working on exactly this in https://github.com/xwiki-contrib/oidc/pull/5

Unfortunately, I’m not able to test it as it looks like, keycloak doesn’t support the RP initiated logout with OIDC. If someone else want to test it, please have a look at the github PR. If necessary, I can provide the compiled *.jar files which needs to be used.

It is just a workaround, but perhaps it’ll help in the meantime:

edit the drawer.vm in the /skins/flamingo folder, find the line #1 with XWikiLogout and change #2 (see following picture) to the Keycloak OpenID Logout URL “https://keycloak-url/auth/realms/MYREALM/protocol/openid-connect/logout”.

In my deb-installation the folder is located here: /usr/lib/xwiki/skins/flamingo

Check the syntax, as you must begin directly after the xredirect= an end after URL)


For me this works now for some months. You have to edit it again after an update.

It should be possible to fix this problem. Keycloak is not so small, that this is irrelevant.
When RP-initiated logout is not possible, then we need another solution.

We try this “Workaround” but we need a right Solution for this Problem.
With this, no local user (admin) can logout from the Wiki.

Perhaps this can help - but it is just another workaround:

Give the local admins this link:


If they open this link in the same browser, they should be logged out. But i did not try this!!