Invalid redirect uri but redirect uri are configured in client

Hi!

I’m configuring a client for SSO in Google Workspace using Keycloak as IDP. Everything is working fine with the exception of logout. When I try to logout I receive the following error: “Invalid redirect uri”

Valid Redirect URIs are configured as requested by Google. Logout URL also: https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout?redirect_uri=https://www.google.com/

Anyone knows what I can do?

Thanks and I’m sorry for the typos

Hi. Did u tried just to ask logout without redirect ?
Just like this :
https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout

Hi! Yes. It works normally.

Try URL encoded value (it is not clear from the question what executes that URL, so if URL is URL encoded), e.g.

https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fwww.google.com

It’s configured on Google using encoded URL.

I would recommend to Workspace read documentation - quick google and I believe it is this one: Service provider SSO setup - Google Workspace Admin Help

If I understand this doc correctly, then only SAML SSO protocol is supported by Google Workspace, so I don’t understand why you want to use OIDC logout Keycloak URL. Don’t mix OIDC/SAML Keycloak URLs.

Open your IDP metadata (e.g. /auth/realms/icone/protocol/saml/descriptor) and find SingleLogoutService. Used Location is the same as SingleSignOnService Location usually in the Keycloak case. So I bet these URLs must be the same:

Of course Google Workspace must initiate SAML logout properly.

I followed this tutorial by Google https://cloud.google.com/architecture/identity/keycloak-single-sign-on

When the URLs are the same, it’s not possible to initiate the logout. The error is as following:

image

(EN: We are sorry… Invalid request.)

That seems to be very crazy setup (or genius workaround, which may work only with certain Keycloak versions). I would contact Google support first to double check their documentation. Are you sure that you don’t have any OIDC keycloak session active - Keycloak may picking that OIDC session/client during OIDC logout.

Check Web Origins option on keycloak. Should be *

FYI, this “hack” by Google no longer seems to work in Keycloak 15.0.2. It fails with an “Invalid redirect_uri” error, even when the URI is set properly on both sides.

1 Like

Hi guys,

I don’t know how you solved the problem, but I found one workaround. I setup another client in realm for logout and it worked. Logout client is openid-connect, login client is saml

Please open your realm settings and find Open ID Configuration File, Open this Json, you will get your logout URL, use that URL and append it with redirect URL.

Find your configuration here.

http://serverUrl/realms/my-realm-name/.well-known/openid-configuration

For example:

http://serverUrl/realms/my-realm-name/protocol/openid-connect/logout
you can append this with redirect url.

I noticed in configuration that it doesn’t require “auth” in the URL.
I am new to Keycloack, I may be missing something, but using the URL from configuration worked for me.