When I press “logout” from KeyCloak, either the admin console or account console, I am redirected to the last site I logged into KeyCloak from. For instance, if I use KeyCloak to log into Nextcloud, when I attempt to log out of KeyCloak it directs me to Nextcloud rather than to a logout page. I’ve attempted changing valid redirect URI to restrict this behavior, toggling front-channel logout, changing the front-channel and back-channel logout urls, keeping them blank, requiring sessions, and have done this on every client. No matter what, when I hit log out I am redirected to the last client and remain logged in. The only way I’ve been able to force myself to log out is to delete all KeyCloak cookies in my browser.
I’ve been having issues finding anything in the documentation covering this, and am unsure how to configure my server to cease this behavior. Any help would be greatly appreciated.
In case this is of any help, here is the request and response I captured relating to this behavior:
REQUEST:
GET /realms/master/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fkeycloak.company.com%2Frealms%2Fmaster%2Faccount%2F%23%2F&id_token_hint={token} HTTP/1.1
Host: keycloak.company.com
Cookie: AUTH_SESSION_ID={cookie}; AUTH_SESSION_ID_LEGACY={cookie}; KEYCLOAK_SESSION=master/{session}; KEYCLOAK_SESSION_LEGACY=master/{session}; KEYCLOAK_IDENTITY={token}; KEYCLOAK_IDENTITY_LEGACY={token}
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
RESPONSE:
HTTP/1.1 302 Found
Date: Wed, 11 May 2022 23:05:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-cache, no-store
X-Content-Type-Options: nosniff
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Location: https://nextcloud.company.com/index.php/apps/user_saml/saml/sls?SAMLRequest={token}&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature={signature}
content-length: 0
Set-Cookie: AUTH_SESSION_ID={cookie}; Version=1; Path=/realms/master/; SameSite=None; Secure; HttpOnly
Set-Cookie: AUTH_SESSION_ID_LEGACY={cookie}; Version=1; Path=/realms/master/; HttpOnly
Connection: close
This example sent me to nextcloud, but the url will always be whatever client I last logged into.