Invalid redirect uri but redirect uri are configured in client

Hi!

I’m configuring a client for SSO in Google Workspace using Keycloak as IDP. Everything is working fine with the exception of logout. When I try to logout I receive the following error: “Invalid redirect uri”

Valid Redirect URIs are configured as requested by Google. Logout URL also: https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout?redirect_uri=https://www.google.com/

Anyone knows what I can do?

Thanks and I’m sorry for the typos

Hi. Did u tried just to ask logout without redirect ?
Just like this :
https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout

Hi! Yes. It works normally.

Try URL encoded value (it is not clear from the question what executes that URL, so if URL is URL encoded), e.g.

https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fwww.google.com

It’s configured on Google using encoded URL.

I would recommend to Workspace read documentation - quick google and I believe it is this one: Service provider SSO setup - Google Workspace Admin Help

If I understand this doc correctly, then only SAML SSO protocol is supported by Google Workspace, so I don’t understand why you want to use OIDC logout Keycloak URL. Don’t mix OIDC/SAML Keycloak URLs.

Open your IDP metadata (e.g. /auth/realms/icone/protocol/saml/descriptor) and find SingleLogoutService. Used Location is the same as SingleSignOnService Location usually in the Keycloak case. So I bet these URLs must be the same:

Of course Google Workspace must initiate SAML logout properly.

I followed this tutorial by Google https://cloud.google.com/architecture/identity/keycloak-single-sign-on

When the URLs are the same, it’s not possible to initiate the logout. The error is as following:

image

(EN: We are sorry… Invalid request.)

That seems to be very crazy setup (or genius workaround, which may work only with certain Keycloak versions). I would contact Google support first to double check their documentation. Are you sure that you don’t have any OIDC keycloak session active - Keycloak may picking that OIDC session/client during OIDC logout.