Keycloak 18 drop support for redirect_uri

stevenmaguire / oauth2-keycloak

Keycloak Provider for OAuth 2.0 Client

MIT License

204 stars 151 forks source link

Keycloak 18 drop support for redirect_uri #46

Closed an-ant0ni0 closed 1 year ago

an-ant0ni0 commented 2 years ago

Since Keycloak 18.0.0 the OpenID Connect Logout has changed: https://www.keycloak.org/2022/04/keycloak-1800-released.html#_openid_connect_logout

The redirect_uri parameter in logout url is not allowed anymore. Instead post_logout_redirect_uri can be used.

I tested following quickfix successfully with keycloak 18.0.0:

    public function getLogoutUrl(array $options = [])
    {
        $base = $this->getBaseLogoutUrl();
        $params = $this->getAuthorizationParameters($options);

        # quickfix
        $params['post_logout_redirect_uri'] = $params['redirect_uri'];
        unset($params['redirect_uri']);

        $query = $this->getAuthorizationQuery($params);
        return $this->appendQuery($base, $query);
    }

Additionally, a parameter with the id_token can be included to omit a logout confirmation.

jakeh999 commented 2 years ago

Also following this.

To bypass the logout confirmation, I'm trying to include the id_token_hint parameter retrieved by $accessToken->getToken(), however I'm always getting an invalid token error.

Has anyone been able to get this to work?

an-ant0ni0 commented 2 years ago

Have you tried $accessToken->getValues()['id_token']?

jakeh999 commented 2 years ago

Thanks @an-ant0ni0 for you help!

Have you tried $accessToken->getValues()['id_token']?

This ultimately worked, but for me it was first needed to request the openid scope to receive the id_token with $provider->getAuthorizationUrl(['scope' => ['openid']]);

Trigni commented 2 years ago

Thanks @an-ant0ni0 for you help!

Have you tried $accessToken->getValues()['id_token']?

This ultimately worked, but for me it was first needed to request the openid scope to receive the id_token with $provider->getAuthorizationUrl(['scope' => ['openid']]);

Hello, can you tell us how you pass id_token_hint?

an-ant0ni0 commented 2 years ago

FYI: I have a fix in my fork: https://github.com/stevenmaguire/oauth2-keycloak/compare/master...an-ant0ni0:keycloak-18.0

mancix commented 1 year ago

I resolved as follow:

When you get the authorization url you should specify the open_id scope as jakeh999 said

$provider->getAuthorizationUrl(['scope' => ['openid']]);

In the logout page

//retrieve the token obj ($token)

    $provider = new Keycloak([
        'authServerUrl' => KEYCLOAK_AUTH_SERVER_URL,
        'realm' => KEYCLOAK_REALM,
        'clientId' => KEYCLOAK_CLIENT_ID,
        'clientSecret' => KEYCLOAK_CLIENT_SECRET,
    ]); 

    $provider->getLogoutUrl([
        'id_token_hint' => $token->getValues()['id_token'],
        'post_logout_redirect_uri' => $postLogoutRedirectUrl,
    ]);

holema commented 1 year ago

Hello @mancix, can you give me a hint from where I can get the token obj?

an-ant0ni0 commented 1 year ago

Hello @mancix, can you give me a hint from where I can get the token obj?

It depends on the implementation of this lib. As an example have a look into the Readme.

micbis commented 1 year ago

Have a look at #58

mstefan21 commented 1 year ago

Released as new version 3.2.0