Keycloak not logging out when logged out from identity provider

2
votes

I'm using keycloak with a remote OIDC provider. When I log out from my application (which talks to Keycloak), I'm also logged out from the external OIDC provider. But, when I try the other way around, by logging out from the external OIDC provider, I remain logged in to keycloak.

Is there some configuration I'm missing, so that a logout from the identity provider will also log med out from Keycloak?

Is there some URL that needs to be registered with the remote IdP? I guess it won't be the regular logout URL, since that would start a logout process that invokes the remote IdP, which in turn would call Keycloak logout back, in an infinite loop?

1
openid-connectkeycloak

1 Answers

3
votes

It turns out that the remote IdP had implemented the front channel logout spec of OpenID Connect, which requires a URL (in Keycloak) that the user is redirected to when the user logs out of the remote IdP.

The only URL provided by Keycloak is the standard logout URL, but this will initiate a logout at the remote IdP, which in my case will not work. I have added a pull request to Keycloak to add a query param to the logout URL, that will make it not logout from the remote IdP, this will from what I understand not completely comply with the front channel logout spec, but it will hopefully work in my case. The pull request is accepted but awaiting a merge.

Update:

My PR is merged, so now Keycloak supports remote IdPs using the frontchannel logout spec. They can now redirect to the standard logout URL, with the parameter initiating_idp, with the alias of the IdP configured in Keycloak as a value. See https://www.keycloak.org/docs/latest/securing_apps/index.html#logout