How to have Keycloak logout unset session?

Question

I have a configuration where I'm using Keycloak as an Identity Broker, and a custom Identity Provider (using Spring Security OAuth) to provide user information.

What I observe is that when I attempt to log out (using frontchannel flow), Keycloak cookies including KEYCLOAK_IDENTITY remain. I expect to see Set-Cookie headers setting the expires to some date in the past.

The implication of this is that if I then go to a protected endpoint/page, I am able to access that resource without logging back in. Keycloak reads the IdToken value from the KEYCLOAK_IDENTITY cookie and uses that to reauthenticate the user.

How do I configure Keycloak to fully log a user out?

Answer 1

When creating the logout link the frontend will use, the 'redirectUri' parameter must match what is configured in Keycloak for the Client as "Front-Channel Logout URL". Note that this defaults the "Base URL" if not explicitly set in the client configuration.

While you can redirect to another location after logout, if those values don't match, Keycloak won't remove the cookies!

Answer 2

The solution is buried in the Keycloak source code:

• If I specify a logout url in my Identity Provider configuration, Keycloak will not unset its own cookies. Reference: OIDCIdentityProvider.keycloakInitiatedBrowserLogout(). This method needs to return null in order for Keycloak to unset its cookies.