We have been using the same approach (adding the original content to the overriding template and changing the suggested line) and it is working fine so far. We have not set the oidc.endpoint.logout variable either.
1 Like
I did not test it thoroughly but I did try it once (oidc.endpoint.logout=https://KEYCLOAKSERVER /auth/realms/demo/protocol/openid-connect/logout)
This did not work for me. Maybe I did not provide the correct URL, otherwise misunderstood something, or forgot to restart the instance. But I think I followed correct procedure and I saw no change in the URL linked to by the Logout button and upon clicking the page simply refreshed the same as it did before uncommenting this line in xwiki.properties
I definitely recommend a few other folks give it a try before reaching a conclusion.
Another workaround (for docker version) is just passing drawer.vm to the docker image.
docker exec -it xwiki-mysql-tomcat-web cat /usr/local/tomcat/webapps/ROOT/skins/flamingo/drawer.vm > ./drawer.vm
Then find there href="$xwiki.getURL(‘XWiki.XWikiLogout’ as was mentioned before. And replace the string like this
<a href=“$xwiki.getURL(‘XWiki.XWikiLogout’, ‘logout’, “xredirect=$escapetool.url(‘https://YOUR_KEYCLOACK_URL/auth/realms/master/protocol/openid-connect/logout?redirect_uri=https://YOUR_WIKI_URL’)”)” id=“tmLogout” rel=“nofollow”>$services.icon.renderHTML(‘log-out’) $escapetool.xml($services.localization.render(‘logout’))
Then edit docker-compose.yaml and pass drawer.vm to docker container
volumes: - ./xwiki.cnf:/etc/mysql/conf.d/xwiki.cnf - ./mysql-data:/var/lib/mysql - ./init.sql:/docker-entrypoint-initdb.d/init.sql - ./drawer.vm:/usr/local/tomcat/webapps/ROOT/skins/flamingo/drawer.vm:ro
For me, as of today (xwiki v16.9.0), the following works:
File xwiki.properties:
oidc.endpoint.logout= https://<keycloak domain>/auth/realms/<realm>/protocol/openid-connect/logout?redirect_uri=<xwiki URL or desired redirect URL incl. "http(s)://">
Note: support for logout was greatly improved in the OIDC Authenticator 2.4.0, so March 2024 (I would honestly not consider logout to really be working, from OIDC protocol point of view, before that).
@tmortagne I noticed that after the recent changes, the logout URL adds an srid, causing the logout redirect to stop working.
Specifically, it appends /%3Fsrid=XqAwpIPb to the end of the post_logout_redirect_uri. Can you please investigate this?
post_logout_redirect_uri: … /xwiki/bin/view/Main/%3Fsrid=XqAwpIPb
Well I don’t see anything in the OIDC authenticator that would add a “srid” parameter to the logout URL before the redirect, but it does add other stuff (like id_token_hint) which are in the OIDC specification.