Logout user via Keycloak REST API doesn't work

keycloak

I have issue while calling Keycloak's logout endpoint from an (mobile) application.

This scenario is supported as stated in its documentation:

/realms/{realm-name}/protocol/openid-connect/logout

The logout endpoint logs out the authenticated user.

The user agent can be redirected to the endpoint, in which case the active user session is logged out. Afterward the user agent is redirected back to the application.

The endpoint can also be invoked directly by the application. To invoke this endpoint directly the refresh token needs to be included as well as the credentials required to authenticate the client.

My request has following format:

POST http://localhost:8080/auth/realms/<my_realm>/protocol/openid-connect/logout
Authorization: Bearer <access_token>
Content-Type: application/x-www-form-urlencoded

refresh_token=<refresh_token>

but this error always occurs:

HTTP/1.1 400 Bad Request
Connection: keep-alive
X-Powered-By: Undertow/1
Server: WildFly/10
Content-Type: application/json
Content-Length: 123
Date: Wed, 11 Oct 2017 12:47:08 GMT

{
  "error": "unauthorized_client",
  "error_description": "UNKNOWN_CLIENT: Client was not identified by any client authenticator"
}

It seems that Keycloak is unable to detect the current client's identity event if I've provided access_token. I've the used same access_token to access other Keycloak's APIs without any problems, like userinfo (/auth/realms//protocol/openid-connect/userinfo).

My request was based on this Keycloak's issue. The author of the issue got it worked but it is not my case.

I'm using Keycloak 3.2.1.Final.

Do you have that same problem? Have you got any idea how to solve it?


Finally, I've found the solution by looking at the Keycloak's source code: https://github.com/keycloak/keycloak/blob/9cbc335b68718443704854b1e758f8335b06c242/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L169. It says:

If the client is a public client, then you must include a "client_id" form parameter.

So what I was missing is the client_id form parameter. My request should have been:

POST http://localhost:8080/auth/realms/<my_realm>/protocol/openid-connect/logout
Authorization: Bearer <access_token>
Content-Type: application/x-www-form-urlencoded

client_id=<my_client_id>&refresh_token=<refresh_token>

The session should be destroyed correctly.


Works with Keycloak 6.0.

Just for clarity: we do expire refreshToken, but accessToken IS STILL VALID while "Access Token Lifespan" time. Next time user tries to renew access token passing refresh token, Keycloak returns 400 Bad request, what should be catch and send as 401 Unauthorised response.

public void logout(String refreshToken) {
    try {
        MultiValueMap<String, String> requestParams = new LinkedMultiValueMap<>();
        requestParams.add("client_id", "my-client-id");
        requestParams.add("client_secret", "my-client-id-secret");
        requestParams.add("refresh_token", refreshToken);

        logoutUserSession(requestParams);

    } catch (Exception e) {
        log.info(e.getMessage(), e);
        throw e;
    }
}

private void logoutUserSession(MultiValueMap<String, String> requestParams) {
    HttpHeaders headers = new HttpHeaders();
    headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);

    HttpEntity<MultiValueMap<String, String>> request = new HttpEntity<>(requestParams, headers);
    String realmName = "your-realm-name";
    String url = "/auth/realms/" + realmName + "/protocol/openid-connect/logout";

    restTemplate.postForEntity(url, request, Object.class);
    // got response 204, no content
}

Finally. It worked for me. I made a REST call as shown below:

Headers:

{
 "Authorization" : "Bearer <access_token>",
 "Content-Type" : "application/x-www-form-urlencoded"
}

Request Body:

{
    "client_id" : "<client_id>",
    "client_secret" : "<client_secret>",
    "refresh_token" : "<refresh_token>"
}

Method:

POST

URL:

<scheme>://<host>:<port>/auth/realms/<realmName>/protocol/openid-connect/logout

I received 200 as a response... If you do anything wrong you will get 401 or 400 errors. It's very tough to debug this issue. BTW my keycloak version is 12.0.4

Let me know if the post is not clear or if you need more information.


in version 3.4 you need as x-www-form-urlencoded body key client_id, client_secret and refresh_token.


FYI: OIDC spec and Google's implementation has a token revocation endpoint

It was implemented in Keycloak 10. See Keycloak JIRA for details

Related

In a bash script, how do I sanitize user input?
How do you duplicate a file in XCode?
Get Project or Relative Directory with T4
LINQ identity function
WPF (MVVM): Closing a view from Viewmodel?
'RelatedManager' object has no attribute
Xcode spell checking
Is there a way in Python to return a value via an output parameter?
Is it possible to build a torrent client using only HTML(5) and JavaScript?
How to maximize a JFrame through code?
RHEL sends mail as myhost.localdomain but I don't want the localdomain suffix/FQDN
Postfix SMTP authenticated can send as anyone