I'm having trouble to allow users to logout from an application that uses Keycloak for access management.
I have found this topic being discussed here and there, but not clear instructions on how to handle the logout.
I tried to cause the logout of an user redirecting the browser to an endpoint of the following format:
https://example.com/auth/realms/myrealm/protocol/openid-connect/logout?id_token_hint=mytoken&post_logout_redirect_uri=https://example.com/initialpage/
What I used as "mytoken" was the access_token I had obtained making a post request to the endpoint:
https://example.com/auth/realms/playipintern/protocol/openid-connect/token
passing to it parameters like the ones bellow:
grant_type="authorization_code" 
code=code_obtained_from_a_url_to_which_keycloak_redirected_the_browser 
client_id=client_id_created_using_key_cloak_gui 
redirect_uri=the_to_which_keycloak_redirected_the_browser
and reading the body of the response. The content of the body was a json, like the one bellow:
{
    'access_token': 'long_token_I_used_latter_as_token_hint_trying_to_logout', 
    'expires_in': 300, 
    'refresh_expires_in': 1800, 
    'refresh_token': 'other_long_token', 
    'token_type': 'bearer', 
    'not-before-policy': 0, 
    'session_state': 'a_shorter_code', 
    'scope': 'email profile'
}
My logout attempt resulted in the following message in Keycloaks log:
22:53:51,686 WARN [org.keycloak.events] (default task-24) type=LOGOUT_ERROR, realmId=playipintern, clientId=null, userId=null, ipAddress=192.168.16.1, error=invalid_token
and the response said "We are sorry, session not active".
Now I'm aware that I should have used the id_token and not the access_token to logout, but received no id_token in the json.
Somewhere, someone said I should have included
scope=openid
in the parameters that I used to obtain the token. I did it, expecting to find an "id_token" field in the json, but nothing changed.
Someone else reported to have needed to create a scope (I believe using Keycloak's GUI) named "openid" to obtain the token. That didn't make much sense to me, but I tried it anyway and added the just created scope to the client scopes using Keycloak's GUI again. Oncemore, the json didn't change.
I tried to use the refresh_token as the id_token, but that also resulted in an invalid token message.
I don't know what to try now. Any help is appreciated.
Thank you.
There are 2 ways to logout from keycloack
In this case will clear all the available sessions
POST: {{Base_URL}}/admin/realms/{{Realm_name}}/users/bac5ae23-9ad6-4bb5-88b4-70f1b83a416a/logout
Logout using refresh token This will clear just the ongoing session for that user
POST: {{Base_URL}}/realms/{{Realm_name}}/protocol/openid-connect/logout

Note: Refresh token is given with keycloak login response
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With