search

itpropro / nuxt-oidc-auth

OIDC (OpenID connect) focused auth module for Nuxt
https://nuxt.com/modules/nuxt-oidc-auth
MIT License
67 stars 12 forks source link

Unable to retrieve ID token for Keycloak id_token_hint logout #40

Open Degoya-Studio opened 2 months ago

Degoya-Studio commented 2 months ago

Hi, I'm encountering difficulties obtaining a valid ID token that I would like to use for Keycloak logout. The ID token is not included in the user object, and attempting to set exposeIdToken: true in the provider configuration results in an infinite loop after login.

Current configuration:


oidc: {
  defaultProvider: 'keycloak',
  providers: {
    keycloak: {
      audience: 'account',
      baseUrl: 'http://localhost:8080/realms/dzg',
      redirectUri: 'http://localhost:3000/auth/keycloak/callback',
      clientId: 'xx',
      clientSecret: 'xx',
      authorizationUrl: 'http://localhost:8080/realms/dzg/protocol/openid-connect/auth',
      tokenUrl: 'http://localhost:8080/realms/dzg/protocol/openid-connect/token',
      logoutUrl: 'http://localhost:8080/realms/dzg/protocol/openid-connect/logout',
      logoutRedirectParameterName: 'post_logout_redirect_uri',
      scope: ['openid', 'profile', 'email'],
      responseType: 'code',
      exposeAccessToken: true,
      grantType: 'authorization_code'
    }
  },
  middleware: {
    globalMiddlewareEnabled: true,
    customLoginPage: false
  }
}
Mattymoo007 commented 1 month ago

@Degoya-Studio did you manage to find a way to get the idToken value somehow? Im struggling with the same situation. I want to logout the user (end session) without the logout confirmation screen. Ive searched all around and indeed you need to provide id_token_hint with post_logout_redirect_uri parameter to get this behaviour from keycloak. Ive tried a number of things to try and get the idToken but no luck so far.

When I add exposeIdToken: true to my config I dont get infinite redirecting behaviour but I do get:

Set-Cookie header is ignored in response from url: https://localhost:3000/auth/keycloak/callback. The combined size of the name and value must be less than or equal to 4096 characters.

I assume the logic breaks here and no userInfo is passed nuxt-oidc-auth module because the user data is null. Perhaps this could be the issue? Thanks for your time 🍻

My configuration:

oidc: {
    providers: {
      keycloak: {
        baseUrl: process.env.NUXT_OIDC_PROVIDERS_KEYCLOAK_BASE_URL || '',
        clientId: process.env.NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_ID || '',
        clientSecret: process.env.NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET || '',
        redirectUri: process.env.BASE_URL + '/auth/keycloak/callback',
        logoutUrl: process.env.NUXT_OIDC_PROVIDERS_KEYCLOAK_BASE_URL + '/protocol/openid-connect/logout',
        logoutRedirectParameterName: `client_id=${process.env.NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_ID}&post_logout_redirect_uri`,
        tokenUrl: process.env.NUXT_OIDC_PROVIDERS_KEYCLOAK_BASE_URL +'/protocol/openid-connect/token',
        pkce: true,
        grantType: 'authorization_code',
        exposeAccessToken: true,
        tokenRequestType: 'form-urlencoded',
        responseType: 'code id_token',
        nonce: true,
        scopeInTokenRequest: true,
        scope: ['openid'],
      },
    },
    middleware: {
      globalMiddlewareEnabled: false,
    },
  },
Degoya-Studio commented 1 month ago

@Mattymoo007 I switched to nuxt-auth-utils and there it worked fine for me. I think you're getting this issue, because the library can't store id_token plus the other tokens you're using in the cookies. You need to somehow only save the id_token without refresh and access token, I reckon.

itpropro commented 1 week ago

@Mattymoo007 I switched to nuxt-auth-utils and there it worked fine for me. I think you're getting this issue, because the library can't store id_token plus the other tokens you're using in the cookies. You need to somehow only save the id_token without refresh and access token, I reckon.

This is a general problem of cookies/h3 and would impact nuxt-auth-utils in the same way if they would expose id or access token via the session. A general problem with Keycloak is that is promotes a lot of bad practices towards JWT usage such as storing non-essential user data in tokens instead of using the tokens for auth only and then requesting additonal user information from a db/service/userendpoint etc..

Try to not use exposeAccessToken or exposeIdToken at all and try to reduce the load of these on Keycloak side. If you absolutely need one of them try to only expose that one.