Camunda/ Keycloak logout is not working correctly for Keycloak 18 or above.

[aloksingh25]

login is success but when logging out from Camunda, it's not working with code given in : examples/sso-kubernetes/src/main/java/org/camunda/bpm/extension/keycloak/showcase/sso/KeycloakLogoutHandler.java

Redirect logout URL: http://localhost:8180/realms/master/protocol/openid-connect/logout?redirect_uri=http://localhost:8082

Camunda 7.17 Keyclock 18.0.0

[VonDerBeck]

Hi @aloksingh25,

can you tell me more about your setup? Logout has been working correctly with the sample checked in.

• It looks like you have changed at least some standard ports.
• Are you running the Spring Boot application locally? Or on Docker / Kubernetes / ...?
• Where/how have you set up your Keycloak server?
• What does your Spring Boot application.yaml look like?
• What does your Keycloak configuration look like?
• Do you have problems logging out especially using the Welcome page or is it the same in Cockpit/Tasklist/Admin?
• Have you checked if the given logout URL is available when you copy that into the browser?
• The logout URL says that it uses the "master" realm? Does that match your setup?

Gunnar

[aloksingh25]

Hi Gunnar, Please find the details below.

• It looks like you have changed at least some standard ports. (Changed but its managed as needed, Keyclock : 8180 and Camunda: 8082)
• Are you running the Spring Boot application locally? Or on Docker / Kubernetes / ...? (Its Spring boot application and doing it locally to take it to PROD )
• Where/how have you set up your Keycloak server? (Used keyclock zip and running on windows machine with command: kc.bat start-dev --http-port 8180)
• What does your Spring Boot application.yaml look like? (Attached)
• What does your Keycloak configuration look like? (no change in keyclock conf; Using UI created, Client (name: camunda-identity-service), User, "camunda-admin" group and added users as per the given in linkhttps://github.com/camunda-community-hub/camunda-platform-7-keycloak)
• Do you have problems logging out especially using the Welcome page or is it the same in Cockpit/Tasklist/Admin? (Same from all the apps). There is some change in Keyclock-18 version and due to that code given in KeycloakLogoutHandler.java is not working with Keyclock-18+ versions. Some changes need to take specially for keyclock 18 and 19 version.

Note: Login is working fine. Even if you notice in yaml "auth" keyword is removed from the URLs for Keyclock 18 and 19. plugin.identity.keycloak: keycloakIssuerUrl: http://localhost:8180/auth/realms/master Regards, Alok Singh Principal Consultant Modernization Practice, Infosys M: 997 123 7696 @.**@. Upcoming Planned Leave(s): NA

From: Gunnar von der Beck @.> Sent: Friday, August 26, 2022 8:47 PM To: camunda-community-hub/camunda-platform-7-keycloak @.> Cc: Alok Singh @.>; Mention @.> Subject: Re: [camunda-community-hub/camunda-platform-7-keycloak] Camunda/ Keyclock logout is not working correctly. (Issue #101)

[EXTERNAL EMAIL]

Hi @aloksingh25https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faloksingh25&data=05%7C01%7Calok.singh25%40infosys.com%7C98420fffce734b79e99b08da87763621%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637971239057705892%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JmDZ0uMb29vln2P3nYEYLc22V57Ix93DY6WfRwl9RII%3D&reserved=0,

can you tell me more about your setup? Logout has been working correctly with the sample checked in.

• It looks like you have changed at least some standard ports.
• Are you running the Spring Boot application locally? Or on Docker / Kubernetes / ...?
• Where/how have you set up your Keycloak server?
• What does your Spring Boot application.yaml look like?
• What does your Keycloak configuration look like?
• Do you have problems logging out especially using the Welcome page or is it the same in Cockpit/Tasklist/Admin?

Gunnar

- Reply to this email directly, view it on GitHubhttps://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcamunda-community-hub%2Fcamunda-platform-7-keycloak%2Fissues%2F101%23issuecomment-1228624595&data=05%7C01%7Calok.singh25%40infosys.com%7C98420fffce734b79e99b08da87763621%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637971239057705892%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bQCFhwlXC47vRT5jtzoTnCH4nCrWeii8UeR3iIF6gbo%3D&reserved=0, or unsubscribehttps://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAPI2CJV5GR2R2MDNJ54LI6LV3DNYDANCNFSM57THAHBA&data=05%7C01%7Calok.singh25%40infosys.com%7C98420fffce734b79e99b08da87763621%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637971239057705892%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CdPsZUwJdP9vyzHA7cA06LGYKsiL2gEJOB1MJ01fU4U%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>

[VonDerBeck]

@aloksingh25: Indeed, you're right: starting with Keycloak 18 there are some changes when it comes to the logout procedure. See https://www.keycloak.org/2022/04/keycloak-1800-released / Chapter "OpenID Connect Logout". The current sample is - not yet - adapted to that. What you can do is one of the following:

• Use --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true as start parameter for Keycloak - Keycloak then behaves like before
• Adapt the logout handling: use post_logout_redirect_uri parameter. How to do this with Spring Boot? See https://developer.okta.com/blog/2020/03/27/spring-oidc-logout-options for a sample on how to use a OidcClientInitiatedServerLogoutSuccessHandler

I will modify and update the sample in future, propably when Camunda 7.18 is released. Does that help?

Gunnar

[aloksingh25]

Hi Gunnar,

• Use --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true as start parameter for Keycloak - Keycloak then behaves like before;
  • With this option, it's not working probably the reason being the "confirmation pop-op" option in case of logout.
• Adapt the logout handling: use post_logout_redirect_uri parameter. How to do this with Spring Boot? See https://developer.okta.com/blog/2020/03/27/spring-oidc-logout-optionshttps://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.okta.com%2Fblog%2F2020%2F03%2F27%2Fspring-oidc-logout-options&data=05%7C01%7Calok.singh25%40infosys.com%7C0133ab1f7f324978463a08da89b4a094%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637973706146585890%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gymKDuuwrnpjPk%2Ffbgj%2BiHfcb0o4c%2BaB2zBNs6dbSrI%3D&reserved=0
  • With this, its asks for additional parameter "id_token_hint". And after adding this param, again its failing. If plan is to have in 7.18 then its okay. Will try from my side as much I can. Do you recommend to change Keyclock version?

Regards, Alok Singh Principal Consultant Modernization Practice, Infosys M: 997 123 7696 @.**@. Upcoming Planned Leave(s): NA

From: Gunnar von der Beck @.> Sent: Monday, August 29, 2022 5:19 PM To: camunda-community-hub/camunda-platform-7-keycloak @.> Cc: Alok Singh @.>; Mention @.> Subject: Re: [camunda-community-hub/camunda-platform-7-keycloak] Camunda/ Keyclock logout is not working correctly. (Issue #101)

[EXTERNAL EMAIL]

@aloksingh25https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faloksingh25&data=05%7C01%7Calok.singh25%40infosys.com%7C0133ab1f7f324978463a08da89b4a094%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637973706146585890%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Y6UfcV0pDnso7hZNc0SMj%2BwRTvdMVLszj08pSd%2Ftqno%3D&reserved=0: Indeed, you're right: starting with Keycloak 18 there are some changes when it comes to the logout procedure. See https://www.keycloak.org/2022/04/keycloak-1800-releasedhttps://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2F2022%2F04%2Fkeycloak-1800-released&data=05%7C01%7Calok.singh25%40infosys.com%7C0133ab1f7f324978463a08da89b4a094%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637973706146585890%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TdRqicY8CX0m7SKL6xRMh6d0BFg%2B%2B2S1q8YOWSjJySM%3D&reserved=0 / Chapter "OpenID Connect Logout". The current sample is - not yet - adapted to that. What you can do is one of the following:

• Use --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true as start parameter for Keycloak - Keycloak then behaves like before
• Adapt the logout handling: use post_logout_redirect_uri parameter. How to do this with Spring Boot? See https://developer.okta.com/blog/2020/03/27/spring-oidc-logout-optionshttps://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.okta.com%2Fblog%2F2020%2F03%2F27%2Fspring-oidc-logout-options&data=05%7C01%7Calok.singh25%40infosys.com%7C0133ab1f7f324978463a08da89b4a094%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637973706146585890%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gymKDuuwrnpjPk%2Ffbgj%2BiHfcb0o4c%2BaB2zBNs6dbSrI%3D&reserved=0

I will modify and update the sample in future, propably when Camunda 7.18 is released. Does that help?

Gunnar

- Reply to this email directly, view it on GitHubhttps://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcamunda-community-hub%2Fcamunda-platform-7-keycloak%2Fissues%2F101%23issuecomment-1230179038&data=05%7C01%7Calok.singh25%40infosys.com%7C0133ab1f7f324978463a08da89b4a094%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637973706146585890%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XReMMgcjU2bho7jPYyMp8T%2Bug8I5c0ktImPuE7OK6us%3D&reserved=0, or unsubscribehttps://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAPI2CJQQX3F63VHKJ2SVHZLV3SPTVANCNFSM57THAHBA&data=05%7C01%7Calok.singh25%40infosys.com%7C0133ab1f7f324978463a08da89b4a094%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637973706146585890%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pA2wqpXk4epg%2FeiH0HKGDsYxUYaf9BAT6Kg%2BrW7q7bA%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>

[VonDerBeck]

Hi @aloksingh25,

so please do the following:

1.) Please be aware that in Keycloak you now have to additionally configure "Valid post logout redirect URIs" 2.) Within the existing Keycloak Logout Handler just change the logoutUrl as follows:

// Complete logout URL
String logoutUrl = oauth2UserLogoutUri + "?post_logout_redirect_uri=" + redirectUri + "&id_token_hint=" + ((OidcUser)authentication.getPrincipal()).getIdToken().getTokenValue();

That should do the trick.

Cheers Gunnar

[aloksingh25]

Hi Gunnar, With the below option, redirect is still failing at Camunda app's. Sharing below snaps.

Complete logout URL: (I can see keyclock session is getting expired with the below URL.) http://localhost:8180/realms/master/protocol/openid-connect/logout?redirect_uri=http://localhost:8082&id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYZU02LUdYVzJTQmc5aXpPalF4XzRRWWRsX1VLRU9ad1l1RVlSMmppX0M4In0.eyJleHAiOjE2NjE4NDU5MDAsImlhdCI6MTY2MTg0NTg0MCwiYXV0aF90aW1lIjoxNjYxODQ1Nzg2LCJqdGkiOiJiMjY2ZDlkMS1hZjM2LTQ4NjktYTZlOC0wMDFhYTVlMWZmYmYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvcmVhbG1zL21hc3RlciIsImF1ZCI6ImNhbXVuZGEtaWRlbnRpdHktc2VydmljZSIsInN1YiI6IjkzMjY2OWQ2LTI4NGUtNGUzMy05MWQ0LTQwMTc1ZDI4ZWNjYiIsInR5cCI6IklEIiwiYXpwIjoiY2FtdW5kYS1pZGVudGl0eS1zZXJ2aWNlIiwibm9uY2UiOiJHV2R3aGcxWGFIcmZJRFJTRFpvSzRPM181dEV0N28wV2FyaEU0U3lOaVlrIiwic2Vzc2lvbl9zdGF0ZSI6IjBkMWY0YjRiLTAzMzEtNDQwOS1iN2ZkLTcxM2E4NTI0NTIzZSIsImF0X2hhc2giOiIyaENXX2dlOU1BRW50Mmw3YlhORzlBIiwiYWNyIjoiMCIsInNpZCI6IjBkMWY0YjRiLTAzMzEtNDQwOS1iN2ZkLTcxM2E4NTI0NTIzZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IkFMT0sgZGVtbzEgU0lOR0giLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vMSIsImdpdmVuX25hbWUiOiJBTE9LIGRlbW8xIiwiZmFtaWx5X25hbWUiOiJTSU5HSCIsImVtYWlsIjoiYWxvazAzMDVAcmVkaWZmbWFpbC5jb20ifQ.peJjpxvNkbc1EgtJz4fBHPhwCq3dgcIbgGdSNnFK6js5BhOXyGLJkX5bQRNPhHdnBwkXR6JevSRoh2aqzLcP1K807HU5OpkFAXk5u-Z7up_oUEXItJarsdN31XW8SMZ0TmH52KFRvAh1jCFnob0SOASF35EsBWbO1HKA9D274SNIeKwztAcwKkrHkmPLA8KVsOYgUt4Zc3xNMCSbG3n-O840ZQRDj0kgdShQ-y-CqV5C10QtLX8JhMfa1hAZHwSF4O94h0We7ROq94L3LPsGHnN9JL7vSK80pGxNA5OHQ4PRzjyMkseXWa7UbDvziXKnOLoLZ33NSfaXggbmcUL0Pw

Logout handler: @.***

Keyclock' logout URIs @.***

Regards, Alok Singh Principal Consultant Modernization Practice, Infosys M: 997 123 7696 @.**@. Upcoming Planned Leave(s): NA

From: Gunnar von der Beck @.> Sent: Monday, August 29, 2022 8:36 PM To: camunda-community-hub/camunda-platform-7-keycloak @.> Cc: Alok Singh @.>; Mention @.> Subject: Re: [camunda-community-hub/camunda-platform-7-keycloak] Camunda/ Keyclock logout is not working correctly. (Issue #101)

[EXTERNAL EMAIL]

Hi @aloksingh25https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Faloksingh25&data=05%7C01%7Calok.singh25%40infosys.com%7Cc40749aa83124741e92808da89d0607a%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637973825325531026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=79oapK1NGwNnlU8JeKXxniJ06JSOBP5WXlDXSDK%2B8lY%3D&reserved=0,

so please do the following:

1.) Please be aware that in Keycloak you now have to additionally configure "Valid post logout redirect URIs" 2.) Within the existing Keycloak Logout Handler just change the logoutUrl as follows:

// Complete logout URL

String logoutUrl = oauth2UserLogoutUri + "?post_logout_redirect_uri=" + redirectUri + "&id_token_hint=" + ((OidcUser)authentication.getPrincipal()).getIdToken().getTokenValue();

- Reply to this email directly, view it on GitHubhttps://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcamunda-community-hub%2Fcamunda-platform-7-keycloak%2Fissues%2F101%23issuecomment-1230440913&data=05%7C01%7Calok.singh25%40infosys.com%7Cc40749aa83124741e92808da89d0607a%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637973825325531026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2EIICqPSFXpR4Nmre6eGr%2BATKzOMWkzAwJ%2BC%2BIgKilo%3D&reserved=0, or unsubscribehttps://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAPI2CJUU7TMQ6KM4YJBDIW3V3TGUNANCNFSM57THAHBA&data=05%7C01%7Calok.singh25%40infosys.com%7Cc40749aa83124741e92808da89d0607a%7C63ce7d592f3e42cda8ccbe764cff5eb6%7C0%7C0%7C637973825325531026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MUjIZ6KAgY1OxXgSmbA%2FCOpjA0h6OWv3u9Qsp87EmBo%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>

[VonDerBeck]

Hi @aloksingh25,

can you please stop repyling by mail?? This is absolutely unreadable.

Please share your qestion and content in a format so that I can read it on GitHub. Otherwise I will close this issue as "not reproducible". Sorry for being that harsh. Just look at your comments directly on github.com - its disrespectful towards me investing my rare time!

Back to your problem: what will happen upon logout is: you'll get logged out from Keycloak. Keycloak sends a redirect to your app to Camunda Cockpit. And because you're not logged in, this will redirect you back to the login page of Keycloak.

This works with Keycloak 19.0.1, Keycloak config for "Valid post logout redirect URIs", adjusted Keycloak URIs (without "auth") in the application.yaml config and the simple change to the logout handler posted above.

Gunnar