post_logout_redirect_uri causes "invalid redirect_uri" for clients created in keycloak 19 with old admin console
See original GitHub issueDescribe the bug
On our dev system we have clients created in keycloak v17 and clients created in v19.
For example:
https://my.keycloak.com/realms/my-realm/protocol/openid-connect/logout?post_logout_redirect_uri=https://valid.redirect.uri&client_id=my-client
should work but did not, even though https://valid.redirect.uri
is a valid redirect_uri
configured in my-client
.
I was able to compare export jsons of old and new clients and found this difference:
{
...
"protocol": "openid-connect",
"attributes": {
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"post.logout.redirect.uris": "+", //<--- this line exists in old but not in the new clients
"frontchannel.logout.session.required": "true",
...
This is also the way to hotfix this issue:
- export the client
- delete exported client from keycloak
- add the line above to the exported json under
"attributes"
object Line:"post.logout.redirect.uris": "+"
- import the edited json
- redirect works again
Version
19.0.0
Expected behavior
That the valid redirect URIs in the client configuration are used to validate post logout redirect URIs. Or have a separate configuration in each client for valid post-logout URIs. And - of course - a successful redirect.
Actual behavior
Error: invalid redirect_uri
How to Reproduce?
- Create new client in keycloak v19
- log in to client successfully
- build post_logout_redirect_url using URL provided in
end_session_endpoint
inrealms/my-realm/.well-known/openid-configuration
, adding the following URL paramsclient_id
&post_logout_redirect_uri
- see “Error invalid redirect_uri” both in browser and in logs
keycloak_1 | 2022-09-06 16:10:00,122 WARN [org.keycloak.events] (executor-thread-129) type=LOGOUT_ERROR, realmId=my-realm, clientId=null, userId=null, ipAddress=1.1.1.1, error=invalid_redirect_uri, redirect_uri=https://valid.redirect.uri
Anything else?
No response
Issue Analytics
- State:
- Created a year ago
- Comments:11 (6 by maintainers)
Top Results From Across the Web
keycloak Invalid parameter: redirect_uri - Stack Overflow
In my case, the issue was with Valid Redirect URIs was not correct. So these are the steps I followed. First login to...
Read more >Invalid redirect uri but redirect uri are configured in client
Hi! I'm configuring a client for SSO in Google Workspace using Keycloak as IDP. Everything is working fine with the exception of logout....
Read more >Support for post_logout_redirect_uris in OIDC client registration
Keycloak OIDC client can have set of "Redirect URIs" configured in the admin console. These redirect uris are currently used as valid redirect...
Read more >Keycloak 19.0.2 released
Until now, administrators, which used SAML javascript protocol mapper ... causes "invalid redirect_uri" for clients created in keycloak 19 ...
Read more >Simply logout from Keycloak - Thomas Suedbroecker's Blog
js file, the reason for that is I want to reuse the existing instance of the Keycloak javascript-adapter . Init¶. In the following...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Reopened for backport to 19.0.2
Make sense to me, I am going to create a PR to fix this by adding a feature to configure the
post_logout_redirect_uri
attribute of the client on legacy admin UI.