apisix
apisix copied to clipboard
apache
help request: Issue with Redirecting User after Logout using OpenID-Connect and Keycloak
Description
I am trying to set up OpenID-Connect and Keycloak, but for some reason, I cannot redirect the user after logout.
Here is the JSON configuration for the OpenID-Connect plugin:
{
"_meta": {
"disable": false
},
"bearer_only": false,
"client_id": "apisix",
"client_secret": "YB2YHVyg2UuAaaujB6AGMDEPngjbVlld",
"discovery": "https://keycloak.mydomain.com:8443/realms/apisix/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"post_logout_redirect_uri": "http://keycloak.mydomain.com:9080/dashboard",
"realm": "apisix",
"redirect_uri": "http://keycloak.mydomain.com:9080/*",
"scope": "openid profile"
}
When attempting to log out, I receive the following response from Keycloak:
2024-07-17 11:12:47 2024-07-17 05:42:47,974 WARN [org.keycloak.events] (executor-thread-398) type="LOGOUT_ERROR", realmId="902db3c9-5318-4f78-88b5-3d3d00d44927", realmName="apisix", clientId="null", userId="null", ipAddress="172.27.0.1", error="invalid_request", reason="Either the parameter 'client_id' or the parameter 'id_token_hint' is required when 'post_logout_redirect_uri' is used."
2024-07-17 11:12:47 2024-07-17 05:42:47,975 WARN [org.keycloak.protocol.oidc.endpoints.LogoutEndpoint] (executor-thread-398) Either the parameter 'client_id' or the parameter 'id_token_hint' is required when 'post_logout_redirect_uri' is used.
It appears that either the client_id or the id_token_hint parameter is required when using the post_logout_redirect_uri parameter. However, it is unclear how to include these parameters in the logout request.
Ref image:
Environment
Environment
- APISIX version: 3.9.0
- Operating system: Linux
- OpenResty / Nginx version: openresty/1.25.3.1
- etcd version: 3.5.0
- APISIX Dashboard version: 3.0.1
- keycloak version: 25.0.1
