charlesmass
commented
3 years ago Can you show us how you save the accessToken on login and how you pass it to the signOut method ?
Open rodrigoguariento opened 3 years ago
charlesmass
commented
3 years ago Can you show us how you save the accessToken on login and how you pass it to the signOut method ?
rodrigoguariento
commented
3 years ago Can you show us how you save the accessToken on login and how you pass it to the signOut method ?
The signIn is:
$oidc = new OpenIDConnectClient(OID_PROVIDER_URL, OID_CLIENT_ID, OID_CLIENT_SECRET);
$oidc->setCertPath(OID_CERT_PATH);
$oidc->setRedirectURL($redirectSelf);
$oidc->setVerifyHost(false); // locally
$oidc->setVerifyPeer(false); // locally
$oidc->authenticate(); // first time user will be redirected to keycloak login page here
$oidc->addScope('email'); // this line and next will be executed after keycloak identify user authenticated
$accessToken = $oidc->requestClientCredentialsToken()->access_token;The signOut is:
$oidc = new OpenIDConnectClient(OID_PROVIDER_URL, OID_CLIENT_ID, OID_CLIENT_SECRET);
$oidc->setCertPath(OID_CERT_PATH);
$oidc->setRedirectURL($self);
$oidc->setVerifyHost(false); // locally
$oidc->setVerifyPeer(false); // locally
$oidc->signOut($accessToken, $redirectGoodBye);
JuliusPC
commented
3 years ago You need to supply the id token to the signOut method, not the access token. The comment in the method is very confusing, I opened a PR which includes a commit to fix this. Hopefully @jumbojett finds time to review, merge it and release a new version to packagist.
Another thing: Your signIn looks odd to me. Do you really need to use the code grant and the client credentials grant? To make things clearer, this is how I would sign in:
$oidc = new OpenIDConnectClient(OID_PROVIDER_URL, OID_CLIENT_ID, OID_CLIENT_SECRET);
$oidc->setCertPath(OID_CERT_PATH);
$oidc->setRedirectURL($redirectSelf);
$oidc->setVerifyHost(false); // locally
$oidc->setVerifyPeer(false); // locally
$oidc->addScope('email');
$oidc->authenticate();
$accessToken = $oidc->getAccessToken();
// save id token for later logout:
$idToken = $oidc->getIdToken();
When I call signOut method, I'm redirected to an url like this: http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYNHE5OGt4ejBzeHp4QUs3cDZ4eUZvYzN4dDJrUU5zcEhWLUxjaUc2LWlRIn0.eyJleHAiOjE2MDU3MjY5NTcsImlhdCI6MTYwNTcyNjY1NywianRpIjoiY2Y1ZjJhNzUtNmJlNC00NGM0LWI2YzktNWI4NmM0NGE3YmFlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL215cmVhbG0iLCJhdWQiOlsicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiMDk4MzUxZDEtYzk1MC00YTBjLTk3ZjItMGMxMWEzMTgyYjliIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXljbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiOTRjZDNjNTEtNTBkNy00MzA2LWEwMDUtNTMxZjlmMzdjYjZmIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vcHJvamVjdC1iLmxvY2FsIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsInZpZXctcmVhbG0iLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0a
But I got the following return in browser:
.. and this appears on Keycloak log:
Here is the last point before redirect to url above:
Any idea about what is going on? I don't know: if the lib have some bug? if I forgot some config? ... remembering that is the first time that I having contact with OAuth (I'm using Keycloak + Example 1: Basic Client).
Thanks.