When using the openid logout, the client_id is not used (it’s possible to logout without client_id).
Which client is used (a default one? ) ?. Is it possible to validate the redirect_url against something?
No solution to offer but we were alerted to this security hole as well. Is it possible to authenticate the logout request? Or, as @sleroux3386 suggests, validate the redirect url against a whitelist?
There is no need for a client_id on the logout exchange because you don’t need to. This is called central logout and will remove your keycloak session.
This will not guarantee that other clients (besides the one that actually initiated the logout) will be aware of that logout. They must provide a logout endpoint which keycloak (keycloak server itself, not the user browser) can do a http request against to inform your application that the user session is to be revoked. You configure that url on “Backchannel Logout URL” field of client configuration and keycloak can give your application the user’s (keycloak) session id if you choose “Backchannel Logout Session Required”.
Keycloak will only logout users with valid session cookies. So you cannot logout another user.
Keycloak will only redirect users to your redirect_url after logout with that url is listed in any client redirect_url list.