Closed an-ant0ni0 closed 1 year ago
Also following this.
To bypass the logout confirmation, I'm trying to include the id_token_hint
parameter retrieved by $accessToken->getToken()
, however I'm always getting an invalid token error.
Has anyone been able to get this to work?
Have you tried $accessToken->getValues()['id_token']
?
Thanks @an-ant0ni0 for you help!
Have you tried
$accessToken->getValues()['id_token']
?
This ultimately worked, but for me it was first needed to request the openid scope to receive the id_token
with $provider->getAuthorizationUrl(['scope' => ['openid']]);
Thanks @an-ant0ni0 for you help!
Have you tried
$accessToken->getValues()['id_token']
?This ultimately worked, but for me it was first needed to request the openid scope to receive the
id_token
with$provider->getAuthorizationUrl(['scope' => ['openid']]);
Hello, can you tell us how you pass id_token_hint?
FYI: I have a fix in my fork: https://github.com/stevenmaguire/oauth2-keycloak/compare/master...an-ant0ni0:keycloak-18.0
I resolved as follow:
When you get the authorization url you should specify the open_id scope as jakeh999 said
$provider->getAuthorizationUrl(['scope' => ['openid']]);
In the logout page
//retrieve the token obj ($token)
$provider = new Keycloak([
'authServerUrl' => KEYCLOAK_AUTH_SERVER_URL,
'realm' => KEYCLOAK_REALM,
'clientId' => KEYCLOAK_CLIENT_ID,
'clientSecret' => KEYCLOAK_CLIENT_SECRET,
]);
$provider->getLogoutUrl([
'id_token_hint' => $token->getValues()['id_token'],
'post_logout_redirect_uri' => $postLogoutRedirectUrl,
]);
Hello @mancix, can you give me a hint from where I can get the token obj?
Hello @mancix, can you give me a hint from where I can get the token obj?
It depends on the implementation of this lib. As an example have a look into the Readme.
Have a look at #58
Released as new version 3.2.0
Since Keycloak 18.0.0 the OpenID Connect Logout has changed: https://www.keycloak.org/2022/04/keycloak-1800-released.html#_openid_connect_logout
The
redirect_uri
parameter in logout url is not allowed anymore. Insteadpost_logout_redirect_uri
can be used.I tested following quickfix successfully with keycloak 18.0.0:
Additionally, a parameter with the
id_token
can be included to omit a logout confirmation.