Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EAS + Keycloak - Logout #191

Open
dnikoloski opened this issue Jul 24, 2024 · 3 comments
Open

EAS + Keycloak - Logout #191

dnikoloski opened this issue Jul 24, 2024 · 3 comments

Comments

@dnikoloski
Copy link

dnikoloski commented Jul 24, 2024
edited
Loading

Hi

I am using EAS + Keycloak

EAS Config:

    ****-com-eas:
      aud: ****-com-eas
      eas:
        plugins:
          - type: oidc
            issuer:
              discover_url: "https://iam****.com/realms/Portal/.well-known/openid-configuration"

              issuer: "https://iam.****.com/realms/Portal"
              authorization_endpoint: "https://iam.****.com/realms/Portal/protocol/openid-connect/auth"

              token_endpoint: "https://iam.****.com/realms/Portal/protocol/openid-connect/token"
              userinfo_endpoint: "https://iam.****.com/realms/Portal/protocol/openid-connect/userinfo"
              jwks_uri: "https://iam.****.com/realms/Portal/protocol/openid-connect/certs"

            client:
              client_id: ****-com-eas
              client_secret: j********************B

              registration_client_uri: "https://iam.****.com/realms/Portal/clients-registrations/openid-connect/portal-eas"
              registration_access_token: "eyJ*********************************************************************************************************************************************************************************************************************************************H2s"

            scopes:
              - openid
              - email
              - profile

            custom_authorization_parameters: { }
            custom_authorization_code_parameters: { }
            custom_refresh_parameters: { }
            custom_revoke_parameters: { }

            redirect_uri: "https://auth.****.com/oauth/callback"

            features:
              cookie_expiry: false
              userinfo_expiry: true
              session_expiry: true
              session_expiry_refresh_window: 86400
              session_retain_id: true
              refresh_access_token: true
              fetch_userinfo: true
              introspect_access_token: false
              introspect_expiry: 0

              authorization_token: access_token

              filtered_service_headers: [ ]

              logout:
                revoke_tokens_on_logout: ["refresh_token", "access_token", "id_token"]
                end_provider_session:
                  enabled: false
                  post_logout_redirect_uri: "https://auth.****.com/oauth/end-session-redirect"

                backchannel:
                  enabled: false

            assertions:
              exp: true
              nbf: true
              iss: true
              userinfo: [ ]
              id_token: [ ]
              access_token: [ ]

            xhr:
              redirect_http_code: 401
              use_referer_as_redirect_uri: true

            csrf_cookie:
              enabled: true
              domain: "****.com"
              path: /
              httpOnly: true
              secure: true
              sameSite: none

            cookie:
              name: corex-iam-session
              domain: "****.com"
              path: /
              httpOnly: true
              secure: true
              sameSite: none

            custom_error_headers:
              Access-Control-Allow-Origin:
                source: req
                query_opts:
                  single_value: true
                query_engine: jp
                query: "$.headers.origin"

              Access-Control-Allow-Credentials:
                source: static
                query_engine: static
                query: true

              Access-Control-Allow-Headers:
                source: static
                query_engine: static
                query: "location, x-pagination"

              Access-Control-Expose-Headers:
                source: static
                query_engine: static
                query: "location, x-pagination"

            custom_service_headers: { }

My front-end has a Logout button that calls:
https://{{ .Values.web.domain }}/api?__eas_oauth_handler__=logout&redirect_uri=https://{{ .Values.web.domain }},
while the call itself works I am not redirected immediately to the Keycloak log in page but I am getting 302 error( I still stay on the front-end) in the console. I have to refresh the front-end page to be redirected to Keycloak...

I am assuming that there should be a await somewhere?
@travisghansen
Copy link
Owner

Welcome! That’s a pretty great config you have! I love to see folks using the advanced features :)

Is the logout button executing an xhr/ajax request? Or is it sending the browser to the logout URL directly?

@dnikoloski
Copy link
Author

Thanks, we are trying to squeeze out the best stuff of it.

We are currently sending the browser to the logout URL directly...

@travisghansen
Copy link
Owner

Then my guess is you need to url encode the redirect uri. The logs of eas and/or the har from the browser (make sure to cleanse anything sensitive, and you may email it vs attaching on github) would be helpful to see what the browser is doing and what eas is doing.

Alternatively a screenshare/call would be fine as well. Again just email me and we can sort out details if you wish.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@travisghansen @dnikoloski