0

I'm newbe in this subject. I configured Keycloak and mod_auth_openidc in apache2.x. I have simple php app, and i want logout from this app, but i need id_token_hint variable.

https:///auth/realms//protocol/openid-connect/logout?id_token_hint=xxxyyy&post_logout_redirect_uri=<url encoded redirect url>

I can get many OIDC_CLAIM_* variables from header but i don't get id_token.I have only access_token, access_token_expires, but it is not valid variable for id_token_hint.

mod_auth_openidc configuration:

Configuration:

    OIDCCryptoPassphrase 012345678
    OIDCProviderMetadataURL https://testsite:8443/realms/myrealm/.well-known/openid-configuration
    OIDCClientID client
    OIDCClientSecret xxxyyyzzz
    OIDCRedirectURI http://testsite/phpsite/redirect_uri
    OIDCRemoteUserClaim  email
    OIDCInfoHook userinfo

    # only for test with self signed cert
    OIDCSSLValidateServer Off

    OIDCScope "openid"
    # OIDCResponseType code
    <Location /phpsite>
            AuthType openid-connect
            Require valid-user
            Require claim
    </Location>

Anybody have a idea? Best regards

Piotr Siewiera
  • 21
  • 2

1 Answers1

1

Maybe this could help you ?
Iirc, you must ask for id token as well as access token (I don't know how to do it exactly in PHP but I'm sure you will find), and then send this id token to logout.

Hope it helps

yodamousta
  • 156
  • 9
  • Thanks for your response. I read it some days ago. Unfortunately that don't work. I have this in my config - OIDCScope "openid" – Piotr Siewiera Aug 26 '22 at 10:13
  • You was right with this. I must connect to endpoint /token (sudo curl -k -d 'scope=openid' -d 'client_id=client' -d 'client_secret=xxxyyyzzz' -d 'username=p.s@xxx.com' -d 'password=xxxyyy' -d 'grant_type=password' 'https://testsite:8443/realms/myrealm/protocol/openid-connect/token' ) with parameter scope=openid, then i get id_token. I don't get token from any header but from endpoint /token. Thanks. I must check this now, but i think that is the right path – Piotr Siewiera Aug 26 '22 at 15:19
  • Glad I helped you, if it was the answer to your question feel free to mark it as the answer. :) – yodamousta Aug 26 '22 at 22:12
  • ok, I will check solution for sure in my app and i mark it if will be ok. – Piotr Siewiera Aug 27 '22 at 13:16
  • I checked this and i made change.... If we use grant_type=password we must have the password, but we want get id_token user who is logged, and we don't want to know his password. My change is: grant_type=password to grant_type=client_credentials and remove username and password parameter from CURL request. It's work and we get id_token. Now Keycloak delete user session. – Piotr Siewiera Aug 30 '22 at 10:37