When using lua-resty-openidc with Keycloak for OpenID Connect, an issue arises during the logout process if the session has been removed from Redis by OpenResty. Specifically, Keycloak requires an id_token_hint to be passed during the logout request. If the session is no longer available and the id_token_hint is missing, Keycloak returns an error instead of redirecting to the post_logout_redirect_uri.
Environment
lua-resty-openidc version 1.7.6-3
OpenID Connect provider Keycloak v22.0
Expected behaviour
When the session is no longer available, the logout request to Keycloak should still proceed and redirect the user to the post_logout_redirect_uri.
Actual behaviour
Keycloak returns an error indicating that the id_token_hint is missing, and the user is not redirected to the post_logout_redirect_uri.
local authorization_header = ngx.var.http_authorization
if authorization_header then
ngx.log(ngx.INFO, "Cookie Before is ", ngx.var.cookie_session)
authorization = string.sub(authorization_header, 7)
local cookie_header = string.format("session=%s", authorization)
ngx.req.set_header("Cookie", cookie_header)
end
local res,err, x, session = require("openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
Configuration and NGINX server log files
Config and logs for the minimized example, possibly provided as attachments.
When using lua-resty-openidc with Keycloak for OpenID Connect, an issue arises during the logout process if the session has been removed from Redis by OpenResty. Specifically, Keycloak requires an id_token_hint to be passed during the logout request. If the session is no longer available and the id_token_hint is missing, Keycloak returns an error instead of redirecting to the post_logout_redirect_uri.
Environment
Expected behaviour
When the session is no longer available, the logout request to Keycloak should still proceed and redirect the user to the post_logout_redirect_uri.
Actual behaviour
Keycloak returns an error indicating that the id_token_hint is missing, and the user is not redirected to the post_logout_redirect_uri.
Minimized example
local opts = { redirect_uri = authParams.redirect_uri, logout_path = authParams.logout_path, post_logout_redirect_uri = authParams.post_logout_redirect_uri, revoke_tokens_on_logout = true, accept_none_alg = false, discovery = "https://sample.keycloak.com/keycloak/realms/example/.well-known/openid-configuration", client_id = "dev-env", client_secret = "uocPIvoy53ek", scope = "openid email profile", ssl_verify = "no", keepalive = "yes", }
Configuration and NGINX server log files
Config and logs for the minimized example, possibly provided as attachments.