Keycloak User Logout

Question

I'm having trouble to allow users to logout from an application that uses Keycloak for access management.

I have found this topic being discussed here and there, but not clear instructions on how to handle the logout.

I tried to cause the logout of an user redirecting the browser to an endpoint of the following format:

https://example.com/auth/realms/myrealm/protocol/openid-connect/logout?id_token_hint=mytoken&post_logout_redirect_uri=https://example.com/initialpage/

What I used as "mytoken" was the access_token I had obtained making a post request to the endpoint:

https://example.com/auth/realms/playipintern/protocol/openid-connect/token

passing to it parameters like the ones bellow:

grant_type="authorization_code" 
code=code_obtained_from_a_url_to_which_keycloak_redirected_the_browser 
client_id=client_id_created_using_key_cloak_gui 
redirect_uri=the_to_which_keycloak_redirected_the_browser

and reading the body of the response. The content of the body was a json, like the one bellow:

{
    'access_token': 'long_token_I_used_latter_as_token_hint_trying_to_logout', 
    'expires_in': 300, 
    'refresh_expires_in': 1800, 
    'refresh_token': 'other_long_token', 
    'token_type': 'bearer', 
    'not-before-policy': 0, 
    'session_state': 'a_shorter_code', 
    'scope': 'email profile'
}

My logout attempt resulted in the following message in Keycloaks log:

22:53:51,686 WARN [org.keycloak.events] (default task-24) type=LOGOUT_ERROR, realmId=playipintern, clientId=null, userId=null, ipAddress=192.168.16.1, error=invalid_token

and the response said "We are sorry, session not active".

Now I'm aware that I should have used the id_token and not the access_token to logout, but received no id_token in the json.

Somewhere, someone said I should have included

scope=openid

in the parameters that I used to obtain the token. I did it, expecting to find an "id_token" field in the json, but nothing changed.

Someone else reported to have needed to create a scope (I believe using Keycloak's GUI) named "openid" to obtain the token. That didn't make much sense to me, but I tried it anyway and added the just created scope to the client scopes using Keycloak's GUI again. Oncemore, the json didn't change.

I tried to use the refresh_token as the id_token, but that also resulted in an invalid token message.

I don't know what to try now. Any help is appreciated.

Thank you.

Answer 1

/token endpoint returns only the access token by default. No refresh token is returned and no user session is created on the Keycloak side upon successful authentication by default. Due to the lack of refresh token, re-authentication is required when the access token expires. However, this situation does not mean any additional overhead for the Keycloak server because sessions are not created by default.

In this situation, logout is unnecessary. However, issued access tokens can be revoked by sending requests to the OAuth2 Revocation Endpoint as described in the OpenID Connect Endpoints section:

/realms/{realm-name}/protocol/openid-connect/revoke

Example:

 POST /revoke HTTP/1.1
 Host: server.example.com
 Content-Type: application/x-www-form-urlencoded
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

 token=45ghiukldjahdnhzdauz&token_type_hint=access_token

You need to put your token in place of 45ghiukldjahdnhzdauz.

token_type_hint can take either access_token or refresh_token as value to define which type of token you want to revoke.

Answer 2

You will have to add scope=openid to your initial request to http://example.com/auth/realms/playipintern/protocol/openid-connect/auth (note the /auth instead of /token at the end) before the redirect from where you copied the access code.

You can find further information and explanation in this article.