Logout is not redirecting correctly

[MarvinKern]

Hi at all, When I logout in my Camunda application, I am redirected to to camunda login page: http://localhost:8080/camunda/app/welcome/default/#!/login. However I dont want to be redirected to this page, I want to be redirected to the Keycloak login page. I configured my Keycloak as described in this project. Has anybody an idea on this? Thank you :+1:

[VonDerBeck]

Hi @MarvinKern,

take a look at the SSO sample and the following snippets:

1. KeyCloakLogoutHandler - it's configured in WebAppSecurityConfig
2. The custom configuration of the apps under src/main/resources/META-INF/resources/webjars/camunda/app

In short, you'll have to redirect the logout to logging out from Keycloak and in case of success redirecting this back to the Camunda application.

Hope this helps.

Gunnar

[MarvinKern]

Hi @VonDerBeck, Thank you for the quick answer. I had a look at the ressources under https://github.com/camunda/camunda-bpm-identity-keycloak/tree/master/examples/sso-kubernetes/src/main/resources/META-INF/resources/webjars/camunda/app, but I am not fully understanding what to do. Should I copy the folder webjars/camunda/app in my META-INF folder and configue the custom javascript code in it?

[VonDerBeck]

@MarvinKern

this should be part of your project. If you have a look e.g. in folder cockpit (the Camunda Cockpit Application), you'll find a subfolder scripts containing a file config.js - which is standard for adding custom scripts. Under subfolder custom you'll find the configured custom script logout.js overriding the default Camunda web application part of the logout functionality.

This has to be done for all four applications of the Camunda Webapp - Cockpit, Tasklist, Admin, Welcome

[MarvinKern]

@VonDerBeck Ah okay, I got it. So i copied the META-INF Folder in my project, but the logout is still not redirecting to the keycloak login page :/

[MarvinKern]

@VonDerBeck I forgot to mention that I am using springboot..

[MarvinKern]

@VonDerBeck Do you have any ideas why this would not work for me? I am using Springboot and a hexagonal software architecture, so I have my project split in the folders bootstrap, infrastructure, workflow and domain.

[VonDerBeck]

Hi @MarvinKern,

• the first step is the custom configuration of your apps similar to src/main/resources/META-INF/resources/webjars/camunda/app.
• This simply appends a "logout" part to your current App URL, independent from where you are. With this you have the chance to filter for these URLs and attach a custom logout handler. This second step happens in WebAppSecurityConfig.
• The third step is now to react to this and do the concrete logout. This is the responsibility of the KeyCloakLogoutHandler. It communicates with Keycloak triggering the Keycloak logout URL. Which - when using a standard setup - is similar to the configured authorization URI, but have /auth replaced with /logout. When sending a request to Keycloaks logout URL you have to add a redirect parameter back to your application. Which is calculated in the logout handler as well. And guess what: By calling this URL in your application you'll be redirected to Keycloak's login page again because you're not authenticated...

Now, in short: change the behaviour of Camunda's logout action with your own action. Capture this URL and make it redirect to Keycloaks logout URL. Which in turn redirects to Camunda once the logout has been successful.

In case to identify your problem you should:

1. check the request sent by clicking on logout
2. check that your Logout-Handler ist correctly triggered
3. check the redirect to Keycloak
4. check the redirect from Keycloak back to your Camunda app

Hope this helps to identify the problem in your special setup.

Gunnar

[MarvinKern]

Hi @VonDerBeck ,

Thanks for the detailled description, I will go for it :)

[MarvinKern]

Thanks for your help, I could make it run with the help of your comments :)

[MK88-art]

Hello @MarvinKern . I'm running a camunda springboot application and trying to login to the camunda platform using keycloak but I'm having an issue almost similar. Could you help me. Mine is a logging in issue.

[VonDerBeck]

@MK88-art,

which version of Camunda / Spring Boot are you using? And what exactly is your problem? What does your application.yaml look like?

Gunnar

[MK88-art]

Hello @VonDerBeck . Thank you for your feedback. So I'm running a springboot app from intellij using Camunda Platform Version 7.16.0 and Spring Boot Version 2.5.4 and this is the application.yaml:

spring.datasource:
  url: ${JDBC_URL:jdbc:h2:./camunda-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE}
  username: ${JDBC_USER:sa}
  password: ${JDBC_PASSWORD:sa}
#spring.h2.console.enabled: true

spring:
  jersey:
    application-path: /engine-rest

camunda.bpm:
  authorization:
    enabled: true
  filter:
    create: All tasks
  webapp.application-path:

server:
  port: 8080
  servlet.context-path: /camunda

# Metrics & Health
management:
  health.probes.enabled: true
  endpoints:
    web.exposure.include: env,health,info,metrics

# Externalized Keycloak configuration
keycloak:
  # SSO Authentication requests. Send by application as redirect to the browser
  url.auth: ${KEYCLOAK_URL_AUTH:http://localhost:9000}
  # SSO Token requests. Send from the application to Keycloak
  url.token: ${KEYCLOAK_URL_TOKEN:http://localhost:9000}
  # Keycloak access for the Identity Provider plugin.
  url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:9001}

  # Keycloak Camunda Identity Client
  client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service}
  client.secret: ${KEYCLOAK_CLIENT_SECRET:cbee1434-7e4d-4d85-bab6-5944b427a3c0}

# Spring Boot Security OAuth2 SSO
spring.security:
  oauth2:
    client:
      registration:
        keycloak:
          provider: keycloak
          client-id: ${keycloak.client.id}
          client-secret: ${keycloak.client.secret}
          authorization-grant-type: authorization_code
          redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
          scope: openid, profile, email
      provider:
        keycloak:
          issuer-uri: ${keycloak.url.auth}/auth/realms/camunda
          authorization-uri:
${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/auth
          user-info-uri:
${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/userinfo
          token-uri:
${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/token
          jwk-set-uri:
${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/certs
          # set user-name-attribute one of:
          # - sub                -> default; using keycloak ID as
camunda user ID
          # - email              -> useEmailAsCamundaUserId=true
          # - preferred_username -> useUsernameAsCamundaUserId=true
          user-name-attribute: preferred_username

logging.level.org.springframework.security: DEBUG

# Camunda Rest API
rest.security:
  enabled: true
  provider: keycloak
  required-audience: camunda-rest-api

# Camunda Keycloak Identity Provider Plugin
plugin.identity.keycloak:
  keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/camunda
  keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/camunda
  clientId: ${keycloak.client.id}
  clientSecret: ${keycloak.client.secret}
  useEmailAsCamundaUserId: false
  useUsernameAsCamundaUserId: true
  useGroupPathAsCamundaGroupId: true
  administratorGroupName: camunda-admin
  disableSSLCertificateValidation: true

So the problem is on logging out.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error:

I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found:

[gunnar]

Hi. I think you may have tagged the wrong person. I’m not affiliated with nor interested the project you’re referencing.

On Fri, Nov 12, 2021 at 03:15 MK88-art @.***> wrote:

Hello @Gunnar von der Beck. Thank you for your feedback. So I'm running a springboot app from intellij using Camunda Platform Version 7.16.0 and Spring Boot Version 2.5.4 and this is the application.yaml:

spring.datasource: url: ${JDBC_URL:jdbc:h2:./camunda-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE} username: ${JDBC_USER:sa} password: ${JDBC_PASSWORD:sa}

spring.h2.console.enabled: true

spring: jersey: application-path: /engine-rest

camunda.bpm: authorization: enabled: true filter: create: All tasks webapp.application-path:

server: port: 8080 servlet.context-path: /camunda

Metrics & Health

management: health.probes.enabled: true endpoints: web.exposure.include: env,health,info,metrics

Externalized Keycloak configuration

keycloak:

SSO Authentication requests. Send by application as redirect to the

browser url.auth: ${KEYCLOAK_URL_AUTH:http://localhost:9000}

SSO Token requests. Send from the application to Keycloak

url.token: ${KEYCLOAK_URL_TOKEN:http://localhost:9000}

Keycloak access for the Identity Provider plugin.

url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:9001}

Keycloak Camunda Identity Client

client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service} client.secret: ${KEYCLOAK_CLIENT_SECRET:cbee1434-7e4d-4d85-bab6-5944b427a3c0}

Spring Boot Security OAuth2 SSO

spring.security: oauth2: client: registration: keycloak: provider: keycloak client-id: ${keycloak.client.id} client-secret: ${keycloak.client.secret} authorization-grant-type: authorization_code redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}" scope: openid, profile, email provider: keycloak: issuer-uri: ${keycloak.url.auth}/auth/realms/camunda authorization-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/auth user-info-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/userinfo token-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/token jwk-set-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/certs

set user-name-attribute one of:

- sub -> default; using keycloak ID as

camunda user ID

- email -> useEmailAsCamundaUserId=true

- preferred_username -> useUsernameAsCamundaUserId=true

user-name-attribute: preferred_username

logging.level.org.springframework.security: DEBUG

Camunda Rest API

rest.security: enabled: true provider: keycloak required-audience: camunda-rest-api

Camunda Keycloak Identity Provider Plugin

plugin.identity.keycloak: keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/camunda keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/camunda clientId: ${keycloak.client.id} clientSecret: ${keycloak.client.secret} useEmailAsCamundaUserId: false useUsernameAsCamundaUserId: true useGroupPathAsCamundaGroupId: true administratorGroupName: camunda-admin disableSSLCertificateValidation: true

So the problem is on logging out.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error:

[image: logout.png] I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found: [image: authfilter.png]

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/camunda-community-hub/camunda-bpm-identity-keycloak/issues/39#issuecomment-966944051, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAT5TUKJQUZ53JWGP6JVGLULTLKVANCNFSM4RMUBTVA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[MK88-art]

Hi. I think you may have tagged the wrong person. I’m not affiliated with nor interested the project you’re referencing. … On Fri, Nov 12, 2021 at 03:15 MK88-art @.**> wrote: Hello @gunnar von der Beck. Thank you for your feedback. So I'm running a springboot app from intellij using Camunda Platform Version 7.16.0 and Spring Boot Version 2.5.4 and this is the application.yaml: spring.datasource: url: ${JDBC_URL:jdbc:h2:./camunda-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE} username: ${JDBC_USER:sa} password: ${JDBC_PASSWORD:sa} #spring.h2.console.enabled: true spring: jersey: application-path: /engine-rest camunda.bpm: authorization: enabled: true filter: create: All tasks webapp.application-path: server: port: 8080 servlet.context-path: /camunda # Metrics & Health management: health.probes.enabled: true endpoints: web.exposure.include: env,health,info,metrics # Externalized Keycloak configuration keycloak: # SSO Authentication requests. Send by application as redirect to the browser url.auth: ${KEYCLOAK_URL_AUTH:http://localhost:9000} # SSO Token requests. Send from the application to Keycloak url.token: ${KEYCLOAK_URL_TOKEN:http://localhost:9000} # Keycloak access for the Identity Provider plugin. url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:9001} # Keycloak Camunda Identity Client client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service} client.secret: ${KEYCLOAK_CLIENT_SECRET:cbee1434-7e4d-4d85-bab6-5944b427a3c0} # Spring Boot Security OAuth2 SSO spring.security: oauth2: client: registration: keycloak: provider: keycloak client-id: ${keycloak.client.id} client-secret: ${keycloak.client.secret} authorization-grant-type: authorization_code redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}" scope: openid, profile, email provider: keycloak: issuer-uri: ${keycloak.url.auth}/auth/realms/camunda authorization-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/auth user-info-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/userinfo token-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/token jwk-set-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/certs # set user-name-attribute one of: # - sub -> default; using keycloak ID as camunda user ID # - email -> useEmailAsCamundaUserId=true # - preferred_username -> useUsernameAsCamundaUserId=true user-name-attribute: preferred_username logging.level.org.springframework.security: DEBUG # Camunda Rest API rest.security: enabled: true provider: keycloak required-audience: camunda-rest-api # Camunda Keycloak Identity Provider Plugin plugin.identity.keycloak: keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/camunda keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/camunda clientId: ${keycloak.client.id} clientSecret: ${keycloak.client.secret} useEmailAsCamundaUserId: false useUsernameAsCamundaUserId: true useGroupPathAsCamundaGroupId: true administratorGroupName: camunda-admin disableSSLCertificateValidation: true So the problem is on logging out*.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error: [image: logout.png] I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found: [image: authfilter.png] — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#39 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAT5TUKJQUZ53JWGP6JVGLULTLKVANCNFSM4RMUBTVA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Yes sincere apologies for that. edited the message but it was already sent

[gunnar]

No problem. It’s a fairly common occurrence with my name. I just like to make sure the message gets where it’s supposed to go, so I usually let the person know they’ve made a mistake.

On Fri, Nov 12, 2021 at 04:23 MK88-art @.***> wrote:

Hi. I think you may have tagged the wrong person. I’m not affiliated with nor interested the project you’re referencing. … <#m-2102430039567795175> On Fri, Nov 12, 2021 at 03:15 MK88-art @.***> wrote: Hello @gunnar https://github.com/gunnar von der Beck. Thank you for your feedback. So I'm running a springboot app from intellij using Camunda Platform Version 7.16.0 and Spring Boot Version 2.5.4 and this is the application.yaml: spring.datasource: url: ${JDBC_URL:jdbc:h2:./camunda-db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE} username: ${JDBC_USER:sa} password: ${JDBC_PASSWORD:sa}

spring.h2.console.enabled: true spring: jersey: application-path:

/engine-rest camunda.bpm: authorization: enabled: true filter: create: All tasks webapp.application-path: server: port: 8080 servlet.context-path: /camunda # Metrics & Health management: health.probes.enabled: true endpoints: web.exposure.include: env,health,info,metrics # Externalized Keycloak configuration keycloak: # SSO Authentication requests. Send by application as redirect to the browser url.auth: ${KEYCLOAK_URL_AUTH: http://localhost:9000} # SSO Token requests. Send from the application to Keycloak url.token: ${KEYCLOAK_URL_TOKEN:http://localhost:9000} # Keycloak access for the Identity Provider plugin. url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:9001} # Keycloak Camunda Identity Client client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service} client.secret: ${KEYCLOAK_CLIENT_SECRET:cbee1434-7e4d-4d85-bab6-5944b427a3c0} # Spring Boot Security OAuth2 SSO spring.security: oauth2: client: registration: keycloak: provider: keycloak client-id: ${keycloak.client.id} client-secret: ${keycloak.client.secret} authorization-grant-type: authorization_code redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}" scope: openid, profile, email provider: keycloak: issuer-uri: ${keycloak.url.auth}/auth/realms/camunda authorization-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/auth user-info-uri: ${keycloak.url.auth}/auth/realms/camunda/protocol/openid-connect/userinfo token-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/token jwk-set-uri: ${keycloak.url.token}/auth/realms/camunda/protocol/openid-connect/certs # set user-name-attribute one of: # - sub -> default; using keycloak ID as camunda user ID # - email -> useEmailAsCamundaUserId=true # - preferred_username -> useUsernameAsCamundaUserId=true user-name-attribute: preferred_username logging.level.org.springframework.security: DEBUG # Camunda Rest API rest.security: enabled: true provider: keycloak required-audience: camunda-rest-api # Camunda Keycloak Identity Provider Plugin plugin.identity.keycloak: keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/camunda keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/camunda clientId: ${ keycloak.client.id} clientSecret: ${keycloak.client.secret} useEmailAsCamundaUserId: false useUsernameAsCamundaUserId: true useGroupPathAsCamundaGroupId: true administratorGroupName: camunda-admin disableSSLCertificateValidation: true So the problem is on logging out.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error: [image: logout.png] I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found: [image: authfilter.png] — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#39 (comment) https://github.com/camunda-community-hub/camunda-bpm-identity-keycloak/issues/39#issuecomment-966944051>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAT5TUKJQUZ53JWGP6JVGLULTLKVANCNFSM4RMUBTVA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .

Yes sincere apologies for that. edited the message but it was already sent

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/camunda-community-hub/camunda-bpm-identity-keycloak/issues/39#issuecomment-966988755, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAT5TS4WV3HZBVV5UCIBGTULTTKBANCNFSM4RMUBTVA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[VonDerBeck]

Hi @MK88-art

you wrote:

So the problem is on logging out.I can successfully log in via the camunda login page and I can see all my users and processes but on logging out I'm getting this error: I had also commented out the WebAppSecurityConfig.java because I would get this error which says authentication provider not found:

Hmm...

1. Commenting out WebAppSecurityConfig leads to your first error. Don't do this.
2. The SSO example is working pretty well. So I can only recommend the steps in https://github.com/camunda-community-hub/camunda-bpm-identity-keycloak/issues/39#issuecomment-702067435

3. Especially in your WebAppSecurityConfig.java check the following:

   @SuppressWarnings({ "rawtypes", "unchecked" })
   @Bean
   public FilterRegistrationBean containerBasedAuthenticationFilter(){
   
       FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
       filterRegistration.setFilter(new ContainerBasedAuthenticationFilter());
       filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "org.camunda.bpm.extension.keycloak.showcase.sso.KeycloakAuthenticationProvider"));
       filterRegistration.setOrder(101); // make sure the filter is registered after the Spring Security Filter Chain
       filterRegistration.addUrlPatterns("/app/*");
       return filterRegistration;
   }

Does the referenced "authentication-provider" class name exactly match your "KeycloakAuthenticationProvider" class? Including the package? Your stacktrace says that it does not and cannot be found.

Regards Gunnar

[andreas-hoffmann-k24]

Hi @VonDerBeck,

first of all many thanks to you. I was searching a lot of time for the proper configuration / implementation of Camunda logout in combination with oauth2 authorisation code flow. I am actually using Azure AD in order to authenticate users in Camunda, but I was not able to implement the logout functionality because of CORS error (logout request to Azure AD).

After I integrated the custom scripts you mentioned (additionally I updated the logout link within the custom scripts -> newLogout.setAttribute('href', '/camunda/api/admin/auth/user/default/logout'); and added the logoutUrl within the security config: http.logout().logoutUrl("/camunda/api/admin/auth/user/default/logout");. The logoutSuccessHandler is already set by AADWebSecurityConfigurerAdapter from Azure AD lib.

Afterwards it's working like a charm :-)

[Bragolgirith]

Note that the steps described in the comment above use a GET request to trigger the logout, whereas it is normally recommended to use a POST request with a valid CSRF token, see Spring Security Reference - CSRF Logout.

To make a POST request work, some extra work is needed:

1. Update the logout.js scripts to make a POST /logout request with a valid CSRF token, e.g. by rendering and submitting a virtual <form> element:

   //... Somehow capture clicking on the logout link and do the following:
   const form = document.createElement('form');
   form.action = "logout"; // or "/logout" if using the default logoutRequestMatcher
   form.method = "POST";
   const input = document.createElement("input");
   input.type = "hidden";
   input.name = "_csrf";
   input.value = ...; // Read the CSRF value, e.g. from the cookie
   form.appendChild(input);
   form.submit();

2. Configure Spring Security to accept the (raw) CSRF token request-attribute (while keeping CSRF BREACH protection) as described here. This is only required for Spring Security >= 5.8.

3. Configure the Content Security Policy (CSP) to allow cross-origin redirects to the OAuth2 server by adding its URL in the 'form-action' directive, see Camunda 7 Docs - Content Security Policy. E.g. in your application.properties:

   camunda.bpm.webapp.header-security.content-security-policy-value=\
     base-uri 'self';\
     script-src $NONCE 'strict-dynamic' 'unsafe-eval' https: 'self' 'unsafe-inline';\
     style-src 'unsafe-inline' 'self';\
     default-src 'self';\
     img-src 'self' data:;\
     block-all-mixed-content;\
     form-action 'self' ${your-auth-server-url};\
     frame-ancestors 'none';\
     object-src 'none';\
     sandbox allow-forms allow-scripts allow-same-origin allow-popups allow-downloads;

   (Note that this step is not strictly required for Firefox due to inconsistent interpretation of the CSP form-action directive between browsers, see MDN Web Docs - CSP form-action)

---

There's also some ongoing effort to natively add support for SSO logout in Camunda.