10

I'm trying to use keycloak with a react app, this is my current client configuration...I did this inside the master realm

client

this is my keycloak config

export const keycloakConfig = {
  "realm": "master",
  "auth-server-url": "http://localhost:8180/",
  "ssl-required": "external",
  "resource": "demo",
  "public-client": true,
  "confidential-port": 0,
  "clientId" : "demo",
  "url" : "http://localhost:8180/"
};

I based my code on this repo

now...I can login without problems in my app, and the displayed url is this

http://localhost:8180/realms/master/protocol/openid-connect/auth?client_id=demo&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&state=ba9daf04-ffdb-4ad3-b912-8be846f0684b&response_mode=fragment&response_type=code&scope=openid&nonce=558d71b7-2c66-44f8-9297-84694dc571a8

but when I try to logout I get a message

Invalid parameter: redirect_uri

the logout url is this

http://localhost:8180/realms/master/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F

I'm not sure if my client config is correct because this has several missing parameters in almost all tutorials that I've found

Do you know what could be the problem here? thank you guys

user1050817
  • 915
  • 2
  • 11
  • 21
  • In my case I can't even login, I'm getting the same error: `Invalid parameter: redirect_uri` when I redirected to the login page. I just upgraded to the keycloak 18. – Kostanos May 25 '22 at 11:48

5 Answers5

18

From the Release Notes:

OpenID Connect Logout

Previous versions of Keycloak had supported automatic logout of the user and redirecting to the application by opening logout endpoint URL such as http(s)://example-host/auth/realms/my-realm-name/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri. While that implementation was easy to use, it had potentially negative impact on performance and security. The new version has better support for logout based on the OpenID Connect RP-Initiated Logout specification. The parameter redirect_uri is no longer supported; also, in the new version, the user needs to confirm the logout. It is possible to omit the confirmation and do automatic redirect to the application when you include parameter post_logout_redirect_uri together with the parameter id_token_hint with the ID Token used for login.

The existing deployments are affected in the following ways:

If your application directly uses links to logout endpoint with the redirect_uri parameter, you may be required to change this as

described above. Consider either removing the redirect_uri parameter entirely or replacing it with the id_token_hint and post_logout_redirect_uri parameters.

If you use java adapters and your application does logout by call httpServletRequest.logout(), you are not affected because this call

uses the backchannel variant of the logout endpoint and that one was not changed.

If you use the latest javascript adapter, you are also not affected. However if your application uses an older version of the

JavaScript adapter, you are affected as this adapter uses the variant of the logout endpoint with the deprecated redirect_uri parameter. In this case, you may need to upgrade to the latest version of the JavaScript adapter.

For the Node.js adapter, the same guideline applies as for the JavaScript adapter. You are encouraged to update to the latest version

as the older version of the adapter uses the deprecated redirect_uri parameter. With the latest Node.js adapter, you are not affected as long as you use the logout based on the /logout URL as described in the documentation or in the Node.js adapter example. However, in the case when your application directly uses the method keycloak.logoutUrl, you can consider adding idTokenHint as the second argument to this method. The possibility to add idTokenHint as second argument was newly added in this version. The idTokenHint needs to be a valid ID Token that was obtained during the login. Adding idTokenHint is optional, but if you omit it, your users will need to confirm the logout screen as described earlier. Also they will not be redirected back to the application after logout.

There is a backwards compatibility option, which allows your application to still use the old format of the redirect_uri parameter.

You can enable this parameter when you start the server by entering the following command:

bin/kc.[sh|bat] --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true start

With this configuration, you can still use the format with the redirect_uri parameter. Note the confirmation screen will be needed if the id_token_hint is omitted. Warning The backwards compatibility switch will be removed in some future version - probably Keycloak 21. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.

csbrogi
  • 424
  • 3
  • 14
2

I've got the same problem already for hours. The only way I found a workaround is manually sending the user to:

/realms//protocol/openid-connect/logout

I started using Keycloak 18.0.0 since a few days and I cannot find any other solution for this problem. I guess it's only happening to when using the newest version. Maybe we should read the documentation better.

Y.T.Sengul
  • 73
  • 5
2

For last Keycloack versions you have to redirect explicitly to

https://you server url/auth/realms/matrix/protocol/openid-connect/logout
Ali-Alrabi
  • 1,515
  • 6
  • 27
  • 60
1

This issue comes when the keycloak is upgraded to version 18. So we also need to upgrade Keycloak JS & keycloak-angular package.

https://www.npmjs.com/package/keycloak-js https://www.npmjs.com/package/keycloak-angular

Rest everything will be similar

Greenbox
  • 113
  • 1
  • 4
  • 13
0

I was facing the same issue and I found out this.

"According to the version 18 release note. Keycloak does not support logout with redirect_uri anymore. you need to include post_logout_redirect_uri and id_token_hint as parameters."

Ref Link : keycloak Invalid parameter: redirect_uri

Keycloak Docs: "Keycloak Docs also states that redirect_uri is no longer supported, you should use post_logout_redirect_uri"

Ref Link : https://www.keycloak.org/2022/04/keycloak-1800-released#_openid_connect_logout

- Solution that worked for me:

So now we have to use post_logout_redirect_uri I need to use either client_id or id_token_hint parameter with it. So I had three options

  1. stop using post_logout_rediret_uri
  2. add a client_id parameter to post_logout_redirect_uri
  3. add a id_token_hint parameter to post_logout_redirect_uri

So I used the 2nd way and created the URL

  • http://{MY-KEYCLOAK-URL}/realms/{MY-REALM-NAME}/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2F{MY-REDIRECT-URL-LINK}&client_id={MY-CLIENT-ID}

Ref Link : https://dev.to/austincunningham/keycloak-1901-and-setting-the-idtokenhint-220c

Thanks!

Vaibhav Shah
  • 9
  • 3