CORs error with OpenID 1.0 Connect Logout

minky · March 8, 2022, 10:26pm

Hello,
I am using Spring Security 5.2, Keycloak v12, Angular v10 and Kubernetes.
When logging out, Spring Security invalidates the security session and creates a redirect URI to keycloak.

Keycloak does logout the user and deletes the session:

20:32:53,161 DEBUG [org.keycloak.services.util.CookieHelper] (default task-47) Could not find cookie KEYCLOAK_IDENTITY, trying KEYCLOAK_IDENTITY_LEGACY
20:32:53,161 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-47) Could not find cookie: KEYCLOAK_IDENTITY
20:32:53,161 DEBUG [org.keycloak.services.util.CookieHelper] (default task-47) Could not find cookie KEYCLOAK_SESSION, trying KEYCLOAK_SESSION_LEGACY
20:32:53,181 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-47) Could not find cookie: KEYCLOAK_SESSION
20:32:53,182 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-47) Logging out: acme_user (ea33c7d3-e71f-41f9-b9af-1f947390adc3) offline: false
20:32:53,182 DEBUG [org.keycloak.services.util.CookieHelper] (default task-47) Could not find cookie KEYCLOAK_IDENTITY, trying KEYCLOAK_IDENTITY_LEGACY
20:32:53,183 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-47) backchannel logout to: acme-grid
20:32:53,185 DEBUG [org.keycloak.services.managers.ResourceAdminManager] (default task-47) Cant logout {0}: no management url
20:32:53,186 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-47) All clients have been logged out for user acme_user in acmeRealm realm, session ea33c7d3-e71f-41f9-b9af-1f947390adc3
20:32:53,188 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-47) JtaTransactionWrapper  commit
20:32:53,201 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-47) JtaTransactionWrapper end
20:32:53,201 DEBUG [org.keycloak.events] (default task-47) type=LOGOUT, realmId=196bd891-7d6d-4aa9-b422-9181f69d31c1, clientId=null, userId=b8afecd5-b6f9-4016-b91f-0c206bc08801, ipAddress=ZZZ.ZZZ.ZZ.Z, authSessionParentId=ea33c7d3-e71f-41f9-b9af-1f947390adc3, authSessionTabId=tJAewwAZxfA

However, the browser errors with a CORs violation:

/#/:1 Access to XMLHttpRequest at 'http://XXX.XXX.X.XX:31131/auth/realms/acmeRealm/protocol/openid-connect/logout?id_token_hint=blahblahblah&post_logout_redirect_uri=http://YYY.YYY.Y.YY:30001' (redirected from 'http://YYY.YYY.Y.YY:30001/logout?_csrf=748c7b1a-a634-4ce5-8728-c4f97d41820d') from origin 'http://YYY.YYY.Y.YY:30001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I expected the web origins setting to allow me to get around this error, but setting it to “*” and other values did not get rid of this error.

jangaraj · March 9, 2022, 7:44am

You need to redirect whole browser to logout url. Calling logout url by using XMLHttpRequest doesn’t work by design.

minky · March 24, 2022, 6:23pm

Hello jangarai,

Thanks for the response.

I am not clear on what you meany by redirect whole browser to logout uri.

According to OpenID Connect 1.0 Logout, the redirect to keycoak is generated on the server side by spring security, once it has cleared the security session and cookies. From a front end perspective, all that is required is to post to a /logout URL.

Anyway, I solved the issue by not using XMLHttpRequest to POST to the logout URL, since the redirect will cause CORs policy to be enforced, as you say, by design.

Instead, I used a hidden form that submitted a POST along with a “_csrf” param that I populated with the X-XSRF-TOKEN cookie that Spring and Angular manage.

This satisfied CSRF and CORS.