endSession / logout redirect not working

[0verEngineer]

Hey, i am using flutter_app_auth for my flutter app and i have problems with the redirect on logout, sometimes it works, most of the time it does not work, the browser just stays open. I checked your example app and found that your IdentityServer does show a "You are now logged out" Page, I do not have such a Page.

I use Keycloak and when i use the appAuth.endSession method with the correct logout endpoint i only get a white page in the browser, if i hit the logout endpoint in the normal mobile browser (when logged in) i see the default Keycloak Logout button.

If i got this correctly the Logout button should not be shown when appAuth.endSession opens the logout url, but is it correct that the page is completely blank?

After multiple tries the redirect after hitting the (completely blank) logout page per appAuth.endSession did work 2 times.

I can see that you have a manual redirect button in the "You are now logged out" Page, is this the only way to solve this issue?

I know this is this chrome redirect without user input bullshit that creates this problem in the first place, but why does it work sometimes?

[MaikuB]

The demo IdentityServer (note: it's not mine) having a page was a choice they made. Whether or not a page exists there doesn't affect this either nor can I can tell you why you have this issue. My best guess is it's something specific to Keycloak and would be something you have to dig into further as to how they implement logging out. What I can tell you is that it's a standard and have first hand experience with this working with Azure B2C

[0verEngineer]

This definitely comes from the problem that chrome does not want to redirect when no user input happens so it does work with extra logout page but not without an extra logout page.

So i think your assumption that it has nothing to do with the page existing is wrong.

Try to implement it without the page (either disable it or use a service that has none) and please provide this as an example

[MaikuB]

This definitely comes from the problem that chrome does not want to redirect when no user input happens so it does work with extra logout page but not without an extra logout page.

I'm confused by this as if you believe that's the case then it would seem to defeat purpose on coming here to ask if it is needed per your original post and to then say that I'm wrong. You probably already know this but redirects as a result of HTTP 302 response being issued by the server. This mean how it's issued (button or otherwise) isn't relevant as the outcome is the same. The general idea of redirects needing user input can be disproven if you have an existing login session and initiate another auth request. This can be reproduced by

• running the example app
• choose one of the sign in options and sign in to be redirected back
• try to sign in and again

Here you will be redirected back without any user input.

Try to implement it without the page (either disable it or use a service that has none) and please provide this as an example

I mentioned in previous post that I "first hand experience with this working with Azure B2C". There is no page shown require user input. Not something I can share as it's confidential but all this involves is using this plugin to make the end session request. Given your issue, I would say there's a problem elsewhere that you may need to look into e.g. a problem with the id token you're providing that is preventing a redirect

[0verEngineer]

To my understanding chrome blocks all redirects that are not issued by a user clicking somewhere, that is why it is needed on login (it does often not work without: promptValues: ['login'])

So why should this be not required on logout?

The end session request and the id token are correct because the session is ended (and i checked if the id_token is correct), everything works besides the redirect back to the app.

I just re-tried it, it worked 3 times in a row, the fourth time it is stuck in the browser again.

And i debugged the chrome inside the android emulator with my local chromium and it logs Navigation is blocked: my-app-name://auth/auth_callback?state=lTP6zjKCcY29YsEN4Lyw9Q into the console when the logout redirect does not work

[MaikuB]

Strictly speaking, the login prompt value is a mechanism to force (re)authentication than to avoid this issue you're saying. Even if there is an issue, based on what you're saying, this is a problem with Chrome than the plugin so there isn't anything that can be done in the plugin side. Searching for that error you mention showed me results around issues reported with Chromium that there are some who had this issue even when the user had to provide input. With all of the above in mind, can't advise you more on this as if there's a problem then it would appear it's to do with either the browser or Keycloak. You may need to share details with the relevant teams to see if they can assist further

[0verEngineer]

• I know for what the login promt value is but as a side effect it always gives a clickable button to the user so this is also a workaround for this chrome security bullshit, i think the consent value could also be used.
• It would be interesting to try if the promtValues can also be sent to the logout endpoint, then we could just send the consent value, but i don't know if this is even possible or in the spec.
• As this is a security feature of chrome and not a bug (and chrome webview is the default on android) it is definitely a problem with flutter_appauth / appauth, especially because it is not considered anywhere in the docs of flutter_appauth and works sometimes but sometimes not
• It would help if you / i setup the example project with Keycloak or any other server that does not show a button on logout for redirection (by default) so we can see if this happens there as well because the best solution would be if it works without a logout confirmation button

Questions:

1. You say that you use it successfully with auth providers that do not display a logout confirmation, is there any specific configuration for this and is this on android?
2. It seems like Keycloak would display a logout confirmation button https://github.com/keycloak/keycloak/issues/11915 but to get this we will need to send no idToken but postLogoutRedirectUrl and clientID should be specified, this is not possible with flutter_appauth, can you test this and eventually change this? (https://github.com/keycloak/keycloak/issues/12002#issuecomment-1128896662)
3. What is very confusing to me is that sometimes it works (confusing if this is a security feature of chrome) and you say it works for you without any user input on logout, have you ever tried this with keycloak?
4. As it works for you, how is the redirect handled by the auth providers you use - is it a normal 302?

Here is my issue in AppAuth-Android: https://github.com/openid/AppAuth-Android/issues/1022

[0verEngineer]

@MaikuB Hey, sorry for this, but can you eventually answer the 4 Questions above? My Problems are still there and if i don't get this to work i have to change to something else.

[MaikuB]

1. there was no specific configuration for this and it's in both platforms. Whether or not there there's a button is should be do the provider but the platform I've never tried it with keycloak.
2. I don't have capacity for this so would suggest you do so. Note that as with her request classes that there's an additionalParameters. Could be it will work that way. Either way this plugin is constrained by what the native SDKs support and this plugin aligns with the constructors with the classes exposed by the SDKs
3. No
4. It's been a while since I've checked but this should all be standard regardless of the provider. If you really wanted to know then you can take the example app and modify it to point to other providers as they typically have credentials for their respective demo apps

[0verEngineer]

Thanks a lot for your answer.