[QA] post logout redirect does not work with keycloak

[jnweiger]

Seen with 2.2.20-rc.6 core 10.11.0 and keycloak idp.

$CONFIG = [
  'openid-connect' => [
    'provider-url'    => 'https://ZZZZZZZZZZZZZZZ/realms/owncloud.works',
    'client-id'       => 'YYYYYYYYYYYYYYY',
    'client-secret'   => 'XXXXXXXXXXX',
    'loginButtonName' => 'Keycloak OIDC',
    // keycloak features a setting 'Front channel logout URL', but there it does not do anythng. Try here:
    // 'post_logout_redirect_uri' => 'https://AAAAAAAAAAAAAAA.jw-qa.owncloud.works',
    'auto-provision'  => [
      // explicit enable the auto provisioning mode
      'enabled' => true,
      // documentation about standard claims: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
      // mode: This is the attribute in the owncloud accounts table to search for users. The default value is email. The alternative value is: userid.
      'mode' => 'email',
      // only relevant in userid mode,  defines the claim which holds the email of the user
      'email-claim' => 'email',
      // defines the claim which holds the display name of the user
      'display-name-claim' => 'name',   // family_name, given_name, email, preferred_username
      // defines the claim which holds the picture of the user - the value of key 'picture' must be a URL
      'picture-claim' => 'picture',
      // defines a list of groups to which the newly created user will be added automatically
      'groups' => ['keycloak'],
      'update' => [
        // update user account info with current information provided by the OpenID Connect provider upon each log in.
        'enabled' => true,
      ],
    ],
  ],
];

• log in user at the web ui, using the 'Keycloak OIDC' button. OK
• log out the user. A keycloak logout confirmation dialog appears:
  

---

• confirm the logout, a final dialog appears, with an incomplete message, and no further redirect back to owncloud. BAD
  

Expected behavior

• the user gets redirected to the owncloud login screen.

Workaround attempts

• configure 'Front-channel logout URL' in keycloak either with a) the base url of ownlcoud or b) with the .../apps/opendiconnect/logout endpoint-> no change.
• configure 'Backchannel logout URL' in keycloak (a) or (b) -> no change.
• configure 'post_logout_redirect_uri' in owncloud (a) or (b) -> an error appears:
  

Not sure If one of the workaroud attempts should have done the trick, or if that can be configured elsewhere.

[DeepDiver1975]

• configure 'post_logout_redirect_uri' in owncloud (a) or (b) -> an error appears:

This is the way this should work .....
refs https://openid.net/specs/openid-connect-rpinitiated-1_0.html

id_token_hint is recommended as per specs - seems like keycloak is requiring it .....

[DeepDiver1975]

please note that we are not supporting front channel logout - but support back channel ...

[jnweiger]

should work?
Can you say if it is a bug that idtoken_hint is missing, or if it is still some misconfiguration on my side?
I could not find owncloud docs about front-channel and back-channel -- so I am just trying things.

[DeepDiver1975]

Can you say if it is a bug that idtoken_hint is missing, or if it is still some misconfiguration on my side?

No idea - sorry - needs debugging ....

[DeepDiver1975]

I could not find owncloud docs about front-channel and back-channel -- so I am just trying things.

readme holds this info afaik ....

[StefanHerb]

We have the same issue.
We use openidconnect 2.2.0, Owncloud 10.13.4.1 and keycloak idp

However, the id_token_hint is still sent within the first 1-5 minutes after login in the event of a logoff. If you stay logged in longer, only the post_logout_redirect_uri is passed to the sso (keycloak).