-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can not logout via Keycloak - Missing parameters id_token_hint #449
Comments
Same issue. Edit: It seem something new in the keycloak 18 as we can se in the section Apparently we can workaround this with |
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). Some providers (e.g. node-oidc-provider and Keycloak) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). Some providers (e.g. node-oidc-provider and Keycloak) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 Signed-off-by: Pieter Fiers <pieter@pfiers.net>
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider. 'OPTIONAL' as per the relevant OpenID specification. - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). 'RECOMMENDED' by the relevant OpenID specification [1]. Some providers (e.g. node-oidc-provider[2] and Keycloak[3]) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 [1]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout [2]: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/end_session.js#L32 [3]: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes Signed-off-by: Pieter Fiers <pieter@pfiers.net>
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider. 'OPTIONAL' as per the relevant OpenID specification. - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). 'RECOMMENDED' by the relevant OpenID specification [1]. Some providers (e.g. node-oidc-provider[2] and Keycloak[3]) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 [1]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout [2]: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/end_session.js#L32 [3]: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes Signed-off-by: Pieter Fiers <pieter@pfiers.net>
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider. 'OPTIONAL' as per the relevant OpenID specification. - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). 'RECOMMENDED' by the relevant OpenID specification [1]. Some providers (e.g. node-oidc-provider[2] and Keycloak[3]) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 [1]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout [2]: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/end_session.js#L32 [3]: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes Signed-off-by: Pieter Fiers <pieter@pfiers.net>
This adds two parameters to the end_session_endpoint IdP URL which the user gets redirected to when singleLogout is triggered. These paramters are: - client_id: the client ID of the current session's provider. 'OPTIONAL' as per the relevant OpenID specification. - id_token_hint: the raw id_token that was obtained during the code callback of this session's login flow (set in session variable `oidc.id_token`). 'RECOMMENDED' by the relevant OpenID specification [1]. Some providers (e.g. node-oidc-provider[2] and Keycloak[3]) require this when using the code OAuth flow. Because passing id_token_hint reveals the id_token to the user agent, a app setting was also added to optionally turn this behaviour off (default is turned on). Builds upon PR nextcloud#373 / issue nextcloud#336 Fixes issue nextcloud#449 [1]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout [2]: https://github.com/panva/node-oidc-provider/blob/c243bf6b6663c41ff3e75c09b95fb978eba87381/lib/actions/end_session.js#L32 [3]: https://www.keycloak.org/docs/latest/release_notes/index.html#oidc-logout-changes Signed-off-by: Pieter Fiers <pieter@pfiers.net>
@julien-nc can you look into an effort estimate for this one? It's the top-voted issue among all our team's apps |
Fixed in #493 so it's there since v1.2.1. |
I have an issue with logout via Keycloak.
When a user clicks on the logout button, their see:
Missing parameters: id_token_hint
The Keycloak logout URL is used properly, but id_token_hint which is required is not set.
This token is issued after the user signs in as an id_token value from Keycloak response of auth endpoint.
Could it be fixed, please? Or could you help to clarify it? Because I am not able to use logout.
The text was updated successfully, but these errors were encountered: