OIDC Identity Provider Logout - How does it work?

xgp · June 8, 2023, 9:12am

I’m looking for some clarification on how the OIDC Identity Provider Logout URL is used. In the tooltip in the UI, it indicates:

End session endpoint to use to logout user from external IDP.

In the documentation, there is a similarly vague explanation:

When logging out, Keycloak sends a request to the external identity provider that is used to log in initially and logs the user out of this identity provider. You can skip this behavior and avoid logging out of the external identity provider. See adapter logout documentation for more information.

which links to information about the Java adapter.

My questions are:

what is the actual function of that URL?
when, in a logout flow can we expect it to be called?
are there specific ways we must initiate a logout in order to use this facility?

My experience in using this, is that when logging out of a Keycloak client using the normal OIDC logout URL (generated by the keycloak-js lib), this URL never gets called (either by Keycloak or by the browser) when the user entered through an OIDC IdP. I read the OIDC logout specs, and looked at the Keycloak code for this, and I can’t figure out which this is supposed to implement, and where the logout URL actually gets used.

xgp · June 10, 2023, 11:13am

Little more information here. It looks like the keycloakInitiatedBrowserLogout method from IdentityProvider is what is supposed to do the work:

https://www.keycloak.org/docs-api/21.1.1/javadocs/org/keycloak/broker/provider/IdentityProvider.html#keycloakInitiatedBrowserLogout(org.keycloak.models.KeycloakSession,org.keycloak.models.UserSessionModel,javax.ws.rs.core.UriInfo,org.keycloak.models.RealmModel)

which for OIDCIdentityProvider looks like this, with some conditional logic to either perform a backchannel or redirect, depending on configuration:

github.com

keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java#L166


      
          
          
        @Override
                  protected void rollbackImpl() {
                      // no-op
                  }
              });
          }
          
          

          
@Override
          public Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm) {
              if (getConfig().getLogoutUrl() == null || getConfig().getLogoutUrl().trim().equals("")) return null;
              String idToken = userSession.getNote(FEDERATED_ID_TOKEN);
              if (idToken != null && getConfig().isBackchannelSupported()) {
                  backchannelLogout(userSession, idToken);
                  return null;
              } else {
                  String sessionId = userSession.getId();
                  UriBuilder logoutUri = UriBuilder.fromUri(getConfig().getLogoutUrl())
                          .queryParam("state", sessionId);
                  if (idToken != null) logoutUri.queryParam("id_token_hint", idToken);

All of this is called in the AuthenticationManager here:

github.com

keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java#L652


      
          }
          
          
final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
          AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, true);
          
          
Response response = browserLogoutAllClients(userSession, session, realm, headers, uriInfo, logoutAuthSession);
          if (response != null) {
              return response;
          }
          
          
String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
          String initiatingIdp = logoutAuthSession.getAuthNote(AuthenticationManager.LOGOUT_INITIATING_IDP);
          if (brokerId != null && !brokerId.equals(initiatingIdp)) {
              IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);
              response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);
              if (response != null) {
                  return response;
              }
          }
          
          
return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers);

My confusion is still, under what conditions would this get called? Which, by looking at the AuthenticationManager code can be translated to, under what conditions would there be a user session note with key Details.IDENTITY_PROVIDER and a logout auth session note with key AuthenticationManager.LOGOUT_INITIATING_IDP not the same as the former?

        String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
        String initiatingIdp = logoutAuthSession.getAuthNote(AuthenticationManager.LOGOUT_INITIATING_IDP);
        if (brokerId != null && !brokerId.equals(initiatingIdp)) {

Topic		Replies	Views
Keycloak as identity provider	0	382	April 13, 2020
External IDP not Logged Out Getting advice authentication , identity-brokering , oidc	3	1094	May 25, 2023
Logout a user from external IDP, after successful token generation Getting advice authentication , identity-brokering , oidc	2	1412	June 15, 2022
Propagate logout from external identity provider to keycloak broker Configuring the server identity-brokering , oidc	1	1363	October 7, 2021
Disable keycloak Identity provider logout Getting advice identity-brokering , oidc	2	616	April 5, 2023

OIDC Identity Provider Logout - How does it work?

Related Topics