Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2586

logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page [GHI#34207]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      login/ui

      Describe the bug

      When using the url to logout with a client id and post_logout_redirect_uri, after the user clicked on the logout button, they often get shown a bad request error:
      ```
      https://<keycloak-host>/auth/realms/master/protocol/openid-connect/logout?client_id=the-client&post_logout_redirect_uri=https%3A%2F%2Fexample.com/
      ```
      This also happens when only providing the client_id.

      Version

      26.0.0

      Regression

      [ ] The issue is a regression

      Expected behavior

      • After clicking on "logout" on the logout page, the user should be redirected to the url given in post_logout_redirect_uri

      Actual behavior

      Sometimes, the user receives a Bad request response and the log shows an invalid token error.

      How to Reproduce?

      With those steps, I could reproduce it easily. But it seems not only the logout url is affected, but others as well, as the normal userflow on our page does not contain the logout flow without parameters:

      • login via login page
      • enter the logout page without any parameters: /auth/realms/master/protocol/openid-connect/logout
      • enter the logout page with client_id and redirect: /auth/realms/master/protocol/openid-connect/logout?client_id=the-client&post_logout_redirect_uri=https%3A%2F%2Fexample.com/
      • click on Logout
      • A bad request is shown

      Anything else?

      This seems to happen when the user has not been on the keycloak page for some time. But after a fresh login it would work.
      When the user refreshes the logout page before clicking the logout button, it will also work correctly.

      The refresh seems to reset the KC_RESTART cookie, which will then be valid.
      The error in keycloak log states an invalid token.

      In my steps to reproduce, there is no "Back to Application" link shown. But in the normal userflow there always is, but I could not find a reason why the token seemed to be invalidated. Maybe some token refresh in the background?
      Our auth proxy creates a new access token from the refresh token every minute, so maybe it has something to do with that?

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: