SSO logout redirect uri new spec
xkotj opened this issue · 6 comments
Hello,
I would like to explain need for a post_logout_redirect_uri and id_token_hint parameters in logoutRedirect config
While integrating SSO (Keycloak 19, OIDC) with OKD I encountered there is a no possibility to include id_token_hint as a variable in logoutRedirect URI configuration.
https://docs.openshift.com/container-platform/4.11/web_console/configuring-web-console.html
Keycloak 18+ deprecated logout parameter redirect_uri
Reason: While that implementation was easy to use, it had potentially negative impact on performance and security
https://www.keycloak.org/2022/04/keycloak-1800-released#_openid_connect_logout
https://www.keycloak.org/2022/07/keycloak-1900-released_oidc_logout_changes
This will be removed probably in version 23.
As a workaround for this issue is to start Keycloak 18+ with legacy parameter
bin/kc.[sh|bat] --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true start
After applying workaround user is correctly redirected to OKD login screen after logout.
For future releases of Keycloak it is needed feature in OKD to comply with OIDC spec - OpenID Connect RP-Initiated Logout specification
Best Regards,
JK
Inactive enhancement proposals go stale after 28d of inactivity.
See https://github.com/openshift/enhancements#life-cycle for details.
Mark the proposal as fresh by commenting /remove-lifecycle stale.
Stale proposals rot after an additional 7d of inactivity and eventually close.
Exclude this proposal from closing by commenting /lifecycle frozen.
If this proposal is safe to close now please do so with /close.
/lifecycle stale
Stale enhancement proposals rot after 7d of inactivity.
See https://github.com/openshift/enhancements#life-cycle for details.
Mark the proposal as fresh by commenting /remove-lifecycle rotten.
Rotten proposals close after an additional 7d of inactivity.
Exclude this proposal from closing by commenting /lifecycle frozen.
If this proposal is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale
Rotten enhancement proposals close after 7d of inactivity.
See https://github.com/openshift/enhancements#life-cycle for details.
Reopen the proposal by commenting /reopen.
Mark the proposal as fresh by commenting /remove-lifecycle rotten.
Exclude this proposal from closing again by commenting /lifecycle frozen.
/close
@openshift-bot: Closing this issue.
In response to this:
Rotten enhancement proposals close after 7d of inactivity.
See https://github.com/openshift/enhancements#life-cycle for details.
Reopen the proposal by commenting
/reopen.
Mark the proposal as fresh by commenting/remove-lifecycle rotten.
Exclude this proposal from closing again by commenting/lifecycle frozen./close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
/reopen
This is still not working.
@dverbeek84: You can't reopen an issue/PR unless you authored it or you are a collaborator.
In response to this:
/reopen
This is still not working.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.