external-auth-server
external-auth-server copied to clipboard
travisghansen
EAS + Keycloak - Logout
Hi
I am using EAS + Keycloak
EAS Config:
****-com-eas:
aud: ****-com-eas
eas:
plugins:
- type: oidc
issuer:
discover_url: "https://iam****.com/realms/Portal/.well-known/openid-configuration"
issuer: "https://iam.****.com/realms/Portal"
authorization_endpoint: "https://iam.****.com/realms/Portal/protocol/openid-connect/auth"
token_endpoint: "https://iam.****.com/realms/Portal/protocol/openid-connect/token"
userinfo_endpoint: "https://iam.****.com/realms/Portal/protocol/openid-connect/userinfo"
jwks_uri: "https://iam.****.com/realms/Portal/protocol/openid-connect/certs"
client:
client_id: ****-com-eas
client_secret: j********************B
registration_client_uri: "https://iam.****.com/realms/Portal/clients-registrations/openid-connect/portal-eas"
registration_access_token: "eyJ*********************************************************************************************************************************************************************************************************************************************H2s"
scopes:
- openid
- email
- profile
custom_authorization_parameters: { }
custom_authorization_code_parameters: { }
custom_refresh_parameters: { }
custom_revoke_parameters: { }
redirect_uri: "https://auth.****.com/oauth/callback"
features:
cookie_expiry: false
userinfo_expiry: true
session_expiry: true
session_expiry_refresh_window: 86400
session_retain_id: true
refresh_access_token: true
fetch_userinfo: true
introspect_access_token: false
introspect_expiry: 0
authorization_token: access_token
filtered_service_headers: [ ]
logout:
revoke_tokens_on_logout: ["refresh_token", "access_token", "id_token"]
end_provider_session:
enabled: false
post_logout_redirect_uri: "https://auth.****.com/oauth/end-session-redirect"
backchannel:
enabled: false
assertions:
exp: true
nbf: true
iss: true
userinfo: [ ]
id_token: [ ]
access_token: [ ]
xhr:
redirect_http_code: 401
use_referer_as_redirect_uri: true
csrf_cookie:
enabled: true
domain: "****.com"
path: /
httpOnly: true
secure: true
sameSite: none
cookie:
name: corex-iam-session
domain: "****.com"
path: /
httpOnly: true
secure: true
sameSite: none
custom_error_headers:
Access-Control-Allow-Origin:
source: req
query_opts:
single_value: true
query_engine: jp
query: "$.headers.origin"
Access-Control-Allow-Credentials:
source: static
query_engine: static
query: true
Access-Control-Allow-Headers:
source: static
query_engine: static
query: "location, x-pagination"
Access-Control-Expose-Headers:
source: static
query_engine: static
query: "location, x-pagination"
custom_service_headers: { }
My front-end has a Logout button that calls:
https://{{ .Values.web.domain }}/api?__eas_oauth_handler__=logout&redirect_uri=https://{{ .Values.web.domain }},
while the call itself works I am not redirected immediately to the Keycloak log in page but I am getting 302 error( I still stay on the front-end) in the console. I have to refresh the front-end page to be redirected to Keycloak...
I am assuming that there should be a await somewhere?
Welcome! That’s a pretty great config you have! I love to see folks using the advanced features :)
Is the logout button executing an xhr/ajax request? Or is it sending the browser to the logout URL directly?
Thanks, we are trying to squeeze out the best stuff of it.
We are currently sending the browser to the logout URL directly...
Then my guess is you need to url encode the redirect uri. The logs of eas and/or the har from the browser (make sure to cleanse anything sensitive, and you may email it vs attaching on github) would be helpful to see what the browser is doing and what eas is doing.
Alternatively a screenshare/call would be fine as well. Again just email me and we can sort out details if you wish.