Can not logout via Keycloak - Missing parameters id_token_hint #449
Comments
Lycsona
changed the title
|
Same issue. Edit: It seem something new in the keycloak 18 as we can se in the section Apparently we can workaround this with |
ubipo
added a commit
to ubipo/user_oidc
that referenced
this issue
Aug 26, 2022
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). Some providers (e.g. node-oidc-provider and Keycloak) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449
ubipo
added a commit
to ubipo/user_oidc
that referenced
this issue
Aug 26, 2022
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). Some providers (e.g. node-oidc-provider and Keycloak) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 Signed-off-by: Pieter Fiers <pieter@pfiers.net>
ubipo
added a commit
to ubipo/user_oidc
that referenced
this issue
Sep 1, 2022
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider. 'OPTIONAL' as per the relevant OpenID specification. - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). 'RECOMMENDED' by the relevant OpenID specification [1]. Some providers (e.g. node-oidc-provider[2] and Keycloak[3]) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 [1]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout [2]: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/end_session.js#L32 [3]: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes Signed-off-by: Pieter Fiers <pieter@pfiers.net>
ubipo
added a commit
to ubipo/user_oidc
that referenced
this issue
Sep 1, 2022
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider. 'OPTIONAL' as per the relevant OpenID specification. - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). 'RECOMMENDED' by the relevant OpenID specification [1]. Some providers (e.g. node-oidc-provider[2] and Keycloak[3]) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 [1]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout [2]: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/end_session.js#L32 [3]: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes Signed-off-by: Pieter Fiers <pieter@pfiers.net>
ubipo
added a commit
to ubipo/user_oidc
that referenced
this issue
Sep 1, 2022
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider. 'OPTIONAL' as per the relevant OpenID specification. - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). 'RECOMMENDED' by the relevant OpenID specification [1]. Some providers (e.g. node-oidc-provider[2] and Keycloak[3]) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 [1]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout [2]: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/end_session.js#L32 [3]: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes Signed-off-by: Pieter Fiers <pieter@pfiers.net>
arnegns
pushed a commit
to hpi-schul-cloud/user_oidc
that referenced
this issue
Sep 20, 2022
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider. 'OPTIONAL' as per the relevant OpenID specification. - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). 'RECOMMENDED' by the relevant OpenID specification [1]. Some providers (e.g. node-oidc-provider[2] and Keycloak[3]) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 [1]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout [2]: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/end_session.js#L32 [3]: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes Signed-off-by: Pieter Fiers <pieter@pfiers.net>
|
@julien-nc can you look into an effort estimate for this one? It's the top-voted issue among all our team's apps |
|
Fixed in #493 so it's there since v1.2.1. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have an issue with logout via Keycloak.
When a user clicks on the logout button, their see:
Missing parameters: id_token_hintThe Keycloak logout URL is used properly, but id_token_hint which is required is not set.
This token is issued after the user signs in as an id_token value from Keycloak response of auth endpoint.
Could it be fixed, please? Or could you help to clarify it? Because I am not able to use logout.
The text was updated successfully, but these errors were encountered: