RP-initiated logout - what id token to use as id_token_hint?

I can’t get the keycloak to logout in new version with an post logout url. Keycloak tells me “Invalid parameter: id_token_hint” regardless if I pass not token, access_token (Bearer token in my case) or refresh token. Can you tell me what kind of token do I need there? Documentation is a bit unclear about that. So far I understood it, I just need to pass the access token, I got from keycloak with the auth token, but it dind’t work.

1 Like

Found the solution: one need to do authorization request with scope=“openid”. Then keycloak returns id_token alongside of acces and refresh tokens from the token endpoint.

I don’t think adding scope=openid works on Keycloak 18. I have no idea how to get the id_token on that version.

Adding below mentioned parameter while starting keycloak worked for me:
“–spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true”
I am using keycloak 19 (Quarkus) version

Solved after 3 hours of being stocked with this problem. :grinning:
Instead of looking for “id_token_hint”, you simply use “client_id”.
Tested on Keycloak version 25.04, on 15 Dec 2024.

The logout URL should be:
https://{my_keycloak_url}/realms/{my_realm_name}/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A//myapp_url&client_id={my_app_client_id_on_kk}