Logout confirmation shown even with included OIDC keycloak.js adapter #12114
-
|
After updating to Keycloak 18 there is now a "Do you want to logout?" page when logging out via the official Javascript adapter as provided by the Keycloak instance. Logging out + redirect works fine, but the user has to press an extra button. The changelog says:
From what I see the Javascript adapter properly sets post_logout_redirect_uri as well as id_token_hint here, but still the "Do you want to logout?" page is shown. Is there anything else I need to do to get rid of the confirmation page? thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 8 replies
-
|
It seems that the activated client option "Consent Required" is causing this behavior. Without that the logout is working as expected. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, that indeed works. But also disables the login consent page :( |
Beta Was this translation helpful? Give feedback.
-
|
Yes, this seems to be a bug: #11915 |
Beta Was this translation helpful? Give feedback.
-
|
I'll subscribe there then and mark this as solved thanks π |
Beta Was this translation helpful? Give feedback.
-
|
Can you please specify where you found that option, since the only "Consent required" I found is under client settings and in my case it's disabled |
Beta Was this translation helpful? Give feedback.
-
|
same here, "Constent required" is disabled and the logout contains the redirectUrl, but the confirmation is still present. |
Beta Was this translation helpful? Give feedback.
-
|
The logout confirmation is shown if you do not pass the "id_token_hint", which is created from the "idToken". keycloak/js/libs/keycloak-js/src/keycloak.js Lines 486 to 488 in bcab75a To clarify, the "id_token_hint" is generated from the "idToken" and is required to confirm the logout process. If you manage tokens on your side, such as storing them in a local storage, and pass them to the Keycloak init method, you need to provide not only the token and refreshToken but also the idToken. This enables Keycloak to create the necessary "id_token_hint" during logout. However, a problem arises when you save tokens in local storage because all tabs share the same tokens. So, if you log out in one tab and then attempt to log out in another tab, you will encounter the logout confirmation screen. This happens because Keycloak cannot create the "id_token_hint" in this scenario. On the other hand, if you do not manage tokens on your side (i.e., you do not save or pass them to keycloak.init), you should not experience these problems. By the way, there might be a bug with the logout confirmation screen, even if you do not manage tokens on your side. For instance, if you log in on both tabs, log out in the first tab, and then log in again, and then log out in the second tab, you will see the confirmation screen. You can refer to the following resources for more information on this topic:
|
Beta Was this translation helpful? Give feedback.
-
@ddubrava |
Beta Was this translation helpful? Give feedback.
-
|
Hey! Iβm not a maintainer, just a user. So, cannot share any insights on this. Itβs better to ping maintainers |
Beta Was this translation helpful? Give feedback.
-
Funny, your post looked like it was written by some maintainer. Didn't event question it haha. But thanks for the reply |
Beta Was this translation helpful? Give feedback.
It seems that the activated client option "Consent Required" is causing this behavior. Without that the logout is working as expected.