OpenID Connect Logout Improvement in RH-SSO 7.6

[junminahn]

What is the impact of RH-SSO 7.6 (Keycloak v18) on the user session logout process?

[junminahn]

One of the changes made in the latest RH-SSO version 7.6 (Keycloak v18), to remove the negative impact on performance and security, is around OpenID Connect Logout that follows the OpenID Connect RP-Initiated Logout specification and deprecates the parameter redirect_uri.
Since many Gov teams make use of the redirect_uri parameter to log out the users in their applications, we applied an available patch to support the backwards compatibility option with redirect_uri; we also want to highlight that this option will be completely deprecated in the future Keycloak releases.

To summary, there are two ways of logging out the authenticated users from the Keycloak (RH-SSO 7.6):

1. include id_token_hint and post_logout_redirect_uri parameters. (recommended)
   ex) https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?post_logout_redirect_uri=http://localhost:3000&id_token_hint=xxxxxxxxxxxxxxxxxxxxx

2. include redirect_uri parameter (will be completely deprecated)
   ex) https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?redirect_uri=http://localhost:3000

References:

• https://www.keycloak.org/2022/04/keycloak-1800-released#_openid_connect_logout
• https://openid.net/specs/openid-connect-rpinitiated-1_0.html