Custom logout which style to use: REST endpoint or Jakarta filter

jonnewell · March 5, 2025, 6:42pm

Hello,

I need to implement some custom logout functionality that needs access to the browser request/response context. The first idea I had was to implement a server REST api endpoint that mimics the builtin methods for logout protocol/openid-connect/logout and also handles my custom logout requirement.

Another idea from a super smart teammate was to simply implement a Jakarta filter that intercepts the logout

@Provider
@Priority(1000)
public class LogoutRequestFilter implements ContainerRequestFilter {
    @Override
    public void filter(ContainerRequestContext requestContext) throws IOException {
        String path = requestContext.getUriInfo().getPath();
        if (path.contains("protocol/openid-connect/logout")) {
           //... custom logout logic here
       }
}
// keycloack logout logic runs next.......

This seems like a much better implementation than a custom REST endpoint. It does not involve configuring META-INF.services with an SPI name. I have not seen Keycloak extended in this fashion before. Is there any downside to this ?

Thanks!

xgp · March 8, 2025, 2:47pm

There isn’t a good way to load filters into Keycloak, and they also haven’t created any way to hook into the logout flow (the same way you can hook into the login flows with Authenticators). If you need to modify the logout behavior, I don’t think it is possible. If you want it to have a side-effect, you can do it by implementing EventListenerProvider, where you can have access to the request and response via the [KeycloakContext](https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/models/KeycloakContext.html).

jonnewell · March 11, 2025, 1:13pm

Thanks for the response. The Jakarta filter works, I am just wondering what the downside of such an implementation would be?

xgp · March 11, 2025, 1:41pm

Thanks for that information. I didn’t know you can add a Jakarta filter to Keycloak. Can you show how you did that?

jonnewell · March 11, 2025, 1:59pm

You implement the filter as shown in my initial post, include it in the .JAR and it just works. This is extension outside of the sanctioned model for server development so I was wondering about any downside. I guess if the architecture moved from Jakarta to some other app engine (as it has in the past moved from WildFly=>Jakarta) then this implementation style would not longer be valid.

This is also useful for the /TOKEN endpoint when you want to issue an SSO cookie from another auth system but dont want to do so in IsValid() of the userstorage SPI or authenticator becuase the authcode has not been exchanged for tokens (with all the commensurate protections like PKCE).

Thanks!
-Jon

Topic		Replies	Views
Custom logout action Extending the server authentication	1	1113	April 19, 2021
Can I overwrite the logout endpoint? Getting advice authentication	12	108	April 23, 2025
How is logout really working and can we bypass the logout-confirm page? Tips and tricks oidc	6	32398	May 17, 2024
Logout with custom identity provider Getting advice	1	604	May 25, 2021
Keycloak logout valid case? Getting advice	0	431	June 29, 2021

Custom logout which style to use: REST endpoint or Jakarta filter

Related topics