Logout

[meghprkh]

What is the logout url? /logout does not work for me and IMO it shall be configurable, since it might be needed to run the kong services on a subpath and thus the logout path would be /[subpath]/logout for me then.

[Trojan295]

Are you calling logout on the Admin API (port 8001) or proxy (8000 port)?

[ror6ax]

ping @meghprkh

[meghprkh]

@Trojan295 @ror6ax sorry I was calling the proxy. How do I use the admin api logout?

[Trojan295]

@meghprkh, it's good you make the calls to the proxy, I wanted to confirm it only.

Are you using the newest version of the plugin (v1.0.4)? If not, could you update and check, if the problem persists? If yes, could you provide some more details:

• Kong version
• OIDC plugin configuration
• Used OIDC Provider

If it's possible could you also post steps, how to reproduce the problem?

[meghprkh]

Sorry I am not being able to respond to this on time, since I have left this project but will try to help

• Kong version : 0.10
• Kong OIDC version 1.0.4
• OIDC provider: keycloak

I use the following dockerfile https://hub.docker.com/r/felicityiiith/kong/~/dockerfile/

[Trojan295]

OK, I checked this and /logout works only in case there is an API registered on it. I believe you are getting no API found with those values message on /logout, but could you confirm it?

[meghprkh]

@Trojan295 Yeah I had no API registered on /logout (and I have an HAProxy in the front which only sends requests on /k to kong, so need to configure it differently, as the main logout deletes a separate PHP session maintained by the CMS which is not proxied by kong)

[Trojan295]

Support for custom login paths was merged and will be released in 1.0.5. Closing this.

[shlomiken]

can you please explain / add to doc how to configure a service+route that will handle logout. currently it does not work .

[damien-neveu]

@shlomiken This is how I setup logout (I use Kong 1.0 and Keycloak 4.7 both in docker containers)

#!/bin/bash

KONG_HOST="localhost"
KONG_PROXY_PORT=8000
KONG_ADMIN_PORT=8001
MOCKBIN_SERVICE_NAME="mockbin-service"
MOCKBIN_SERVICE_URL="http://mockbin.org/request"

KEYCLOAK_HOST_IP=$(ipconfig getifaddr en0)
KEYCLOAK_ADMIN_PORT=8181
KEYCLOAK_REALM_NAME="my-demo-realm"
KONG_CLIENT_ID="kong" # as defined in keycloak
KONG_CLIENT_SECRET="..." # as defined in keycloak

# add new "mock service"
MOCKBIN_SERVICE_ID=$(curl -s -X POST http://$KONG_HOST:$KONG_ADMIN_PORT/services -d name=$MOCKBIN_SERVICE_NAME -d url=$MOCKBIN_SERVICE_URL | jq -r '.id')

# add routes '/mock' and '/logout' to the mock service
curl -s -X POST http://$KONG_HOST:$KONG_ADMIN_PORT/routes -H "content-type: application/json" -d "{\"service\":{\"id\":\"$MOCKBIN_SERVICE_ID\"},\"paths\":[\"/mock\",\"/logout\"]}" | jq '.'

# setup oidc plugin
curl -s -X POST http://$KONG_HOST:$KONG_ADMIN_PORT/plugins -d name=oidc -d config.client_id=$KONG_CLIENT_ID -d config.client_secret=$KONG_CLIENT_SECRET -d config.discovery=http://$KEYCLOAK_HOST_IP:$KEYCLOAK_ADMIN_PORT/auth/realms/$KEYCLOAK_REALM_NAME/.well-known/openid-configuration -d config.redirect_after_logout_uri=http://$KEYCLOAK_HOST_IP:$KEYCLOAK_ADMIN_PORT/auth/realms/$KEYCLOAK_REALM_NAME/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2F$KONG_HOST%3A$KONG_PROXY_PORT%2Fmock | jq '.'