Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

post_logout_redirect_uri causes "invalid redirect_uri" for clients created in keycloak 19 with old admin console

See original GitHub issue

Describe the bug

On our dev system we have clients created in keycloak v17 and clients created in v19.

For example: https://my.keycloak.com/realms/my-realm/protocol/openid-connect/logout?post_logout_redirect_uri=https://valid.redirect.uri&client_id=my-client should work but did not, even though https://valid.redirect.uri is a valid redirect_uri configured in my-client.

I was able to compare export jsons of old and new clients and found this difference:

{
    ...
    "protocol": "openid-connect",
    "attributes": {
        "saml.force.post.binding": "false",
        "saml.multivalued.roles": "false",
        "post.logout.redirect.uris": "+", //<--- this line exists in old but not in the new clients
        "frontchannel.logout.session.required": "true",
        ...

This is also the way to hotfix this issue:

export the client
delete exported client from keycloak
add the line above to the exported json under "attributes" object Line: "post.logout.redirect.uris": "+"
import the edited json
redirect works again

Version

19.0.0

Expected behavior

That the valid redirect URIs in the client configuration are used to validate post logout redirect URIs. Or have a separate configuration in each client for valid post-logout URIs. And - of course - a successful redirect.

Actual behavior

Error: invalid redirect_uri

How to Reproduce?

Create new client in keycloak v19
log in to client successfully
build post_logout_redirect_url using URL provided in end_session_endpoint in realms/my-realm/.well-known/openid-configuration, adding the following URL params client_id & post_logout_redirect_uri
see “Error invalid redirect_uri” both in browser and in logs keycloak_1 | 2022-09-06 16:10:00,122 WARN [org.keycloak.events] (executor-thread-129) type=LOGOUT_ERROR, realmId=my-realm, clientId=null, userId=null, ipAddress=1.1.1.1, error=invalid_redirect_uri, redirect_uri=https://valid.redirect.uri

Anything else?

No response

Issue Analytics

State:
Created a year ago
Comments:11 (6 by maintainers)

Top GitHub Comments

1reaction

mposoldacommented, Sep 12, 2022

Reopened for backport to 19.0.2

0reactions

lexcaocommented, Sep 10, 2022

Make sense to me, I am going to create a PR to fix this by adding a feature to configure the post_logout_redirect_uri attribute of the client on legacy admin UI.