Search code examples
spring-bootoauth-2.0keycloakopenid-connectlogout

Keycloak not logging out the Identity provider after calling the /logout endpoint

I'm trying to use Keycloak (13.0.1) as an identity broker. I have an iOS app that uses keycloak to log in via an OIDC identity provider, and then use the token to access a spring-boot backend.

My issue is that I simply can't get the keycloak logout to also log the user out of the Identity Provider session.

I've spent days googling this and looking at both stackoverflow and the keycloak discourse page and git repo, but I couldn't find an answer to my specific issue.

Using the postman to test, the first time I click "Get New Access Token":

using postman to get token

It successfully redirects me to the identity provider login page (I use the keycloak hint to bypass the initial keycloak login page). Pressing the button again will skip the IDP login and give me the token directly. How convenient, or so I thought...

The problem is that when I use keycloak's /logout endpoint to invalidate the refresh token: postman logout

And it successfully returns 204, when I click "Get new access token" again, it skips the login form and gives me the token directly, so there is effectively no way to logout the user and then login with a different user. The only way to bypass this is to manually click the "clear all cookies" button.

Here is my IDP configuration:

IDP config

Also note that, in the keycloak admin guied it is specified that keycloak should be logging out of the IDPs when a logout is triggered, so it doesn't seem like I should be making any special configs:

https://www.keycloak.org/docs/latest/server_admin/#identity-broker-logout

IMPORTANT EDIT:

I marked this question as solved and the solution is correct, but I also needed to turn off the IDP "backchannel logout", because our corporate SSO doesn't like it. Keycloak seems to be able to log out regardless.

Solution

  • It successfully redirects me to the identity provider login page

    That redirect is the key. It opens a browser, where Keycloak cookie is created - that is your IdP session. You have to open Keycloak /logout endpoint in the same browser, so Keycloak can clear own Keycloak cookies.

    Summary: you have to open/redirect (API call doesn't work) user to the same browser to the logout endpoint (API call doesn't work) as you have used for the login. Of course this may not be case for some special flows, but it should be working for standard Authorization Code (with/without PKCE).