Keycloak Gatekeeper - Logout

I’m having trouble getting Gatekeeper to logout properly and would welcome some advice.

I’m unable to logout with Gatekeeper directly because if I enable refresh tokens in its settings, then the Node js app that it sits in front of complains that the header size is too big. I understand that Node js has a hard coded header size of 80k.

My second option is to logout of Keycloak directly from the node js server. The problem there is that the client tries to login again. I understand that the access token cookie will remain and be valid until its expiration, but I’m still able to use the access token to get the refresh token and successfully refresh the token. This is something that I wouldn’t expect to be able to do given that I’ve supposedly logged out.

Both keycloak and gatekeeper are set to 7.0.1.

Does anyone have any suggestions on how to proceed?

1.) Do you really need to forward all headers to backend app? (for example use enable-token-header: false, which is enabled by default)

2.) Why you don’t use Gatekeeper’s logout handler:

/oauth/logout?redir=/goodbye

Thanks for your reply.

  1. It turns out that Node.js no longer hard codes the header size, and it’s default is set to 8k. Hence the issue. The node flag --max-http-header-size=10000 fixes the issue, but your enable-token-header: false also works and is a neater solution, thanks.

  2. Thanks, this is working well for me.

I have another issue regarding refresh tokens, but I think it deserves a new topic.