Can I overwrite the logout endpoint?

moritzschmitz-oviva · April 8, 2025, 8:07am

We have a requirement to add the Cache-Control: no-store, no-cache header to the logout resource?

What is the best way to achieve this?

Can I re-implement/extend the logout resource?

xgp · April 8, 2025, 12:14pm

The built-in OIDC endpoints are not part of an SPI implementation, and can’t be overridden.

moritzschmitz-oviva · April 9, 2025, 7:08am

Thanks for the response.

xgp · April 9, 2025, 7:28am

I have never tried it, but you may be able to add a header from another extension by

Check to see what the request URI is and match it to the logout endpoint. You can do that with session.getContext().getUri()
Update the HTTP response with session.getContext().getHttpResponse() which has a setHeader method, documented here HttpResponse (Keycloak Docs Distribution 26.1.4 API)

dasniko · April 9, 2025, 11:55am

Perhaps another option would be to add the desired header value on the reverse-proxy level, when processing the response(s) from Keycloak!?

lamoboos223 · April 12, 2025, 9:01am

why not change the core code and recompile keycloak? @dasniko isn’t that a valid solution? because I recall 4 years ago that the email section didn’t serve my needs, so i changed the code and recompiled the jars and deployed it to wildfly.

xgp · April 12, 2025, 10:07am

Sorry to say, I think that’s the worst possible solution. Forking keycloak core means you have to maintain your changes with every version release. Even with the slower pace of major releases, that’s a lot of work to make sure you are maintaining and testing it properly.

I think @dasniko 's solution is the most elegant, as you can do it without changing anything in Keycloak or in an extension.

I did a test on my suggested solution, and it works properly. If you are already building an extension for other reasons, it’s a valid solution that doesn’t require forking keycloak core.

dasniko · April 12, 2025, 10:26am

Nothing to here for @xgp s comment.
Not just because something is technically possible, it is a good solution.

lamoboos223 · April 12, 2025, 11:43am

No problem guys, I appreciate your thoughts and answers, thank you!

djordje · April 14, 2025, 9:54am

Why not adding its own logout endpoint with your logic?

dteleguin · April 15, 2025, 11:30pm

As an alternative, you can deploy a simple JAX-RS filter into Keycloak. This example does exactly what you’re looking for, but for UserInfo endpoint (you will need to change that to LogoutEndpoint).

Pros:

deployed as an add-on, no changes to Keycloak code needed
self-contained solution, not depending on reverse proxy
no need to configure URL patterns (which might potentially change), the filter will be always bound to the correct endpoint

Cons:

known compatibility issues - please consider thorough testing before deploying to production

Good luck!

moritzschmitz-oviva · April 23, 2025, 7:52am

Thank you. This is what we are doing at the moment. I was just hoping for a solution closer to the service.

moritzschmitz-oviva · April 23, 2025, 7:52am

This looks good. I will give it a try. Thank you!

Topic		Replies	Views
How is logout really working and can we bypass the logout-confirm page? Tips and tricks oidc	6	32398	May 17, 2024
Custom logout which style to use: REST endpoint or Jakarta filter Getting advice authentication	4	35	March 11, 2025
Propagate logout from external identity provider to keycloak broker Configuring the server identity-brokering , oidc	1	1595	October 7, 2021
Java OIDC adapter logs out via frontend URL instead of auth-server-url Securing applications oidc	1	508	March 25, 2022
Logout at Spring Authorization Server doesn't terminate user session in Keycloak Getting advice authentication , identity-brokering , oidc	1	3020	December 13, 2022

Can I overwrite the logout endpoint?

Related topics