Keycloak logout request does not log out user

Question

I am currently working on a small project using keycloak 2.5.0 I've already set up the user login and i'm now trying to implement a page wide logout button.

As the documentation states, is simply called the route http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http: //application-root.com/ For the sake of simplicity i used an anchor tag to make this GET Request.

If i take a look into the Network tab of the firefox developer tools everything seems to be working fine. I am getting back a 302 status code for the redirection request. And after that, the application successfully requests the http: //application-root.com/ with a status code of 200 and redirects me to this page.

But when i want to request the locked content again (the one secured by keycloak) its still accessible.

But whenever i manually delete the JSESSIONID and KEYCLOAK_ADAPTER_STATE cookie after the redirection, everything works fine and i'm being logged out correctly. Sadly i can't delete those cookies programmaticly because they are HttpOnly

What is the expected behaviour of this request ?

Am i missing something ?

Has anyone experienced anything similar ?

Thanks for any help

Answer 1

I implemented logout using Keycloak 4.8.3 version. Mandatory parameter is id token (id_token_hint). Optional parameter is redirect url (post_logout_redirect_uri). Example:

http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEY0gyNnl0OFV0OEJQTGxoR&post_logout_redirect_uri=http:%2F%2Fapplication-root.com%2F