Keycloak 18 openid logout - 404 (due the 2800 characters limit in the HTTP query for the IIS server)

[adnsimona]

Describe the bug

Hi.

We've recently updated our keycloak to 18.0.0.
Everything worked fine, automatically, except the logout mechanism.
Our site was still using redirect_uri.
We updated the frontend to use the most recent keycloak-js.
Now it is sending post_logout_redirect_uri and id_token_hint correctly.

And here is the issue, the logout is resulted in a Server Error: 404
"
404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
"

I read that the 18 keycloak now asks confirmation to logout. We are using a custom template for the client.
Do we miss the page for the logout confirmation from our template?
If so, where can I find a sample template for this?

Would be nice: to display the error message in the log, what is not found exactly.

Cheers,
Ádám

Version

18.0.0

Expected behavior

User logs out

Actual behavior

404

How to Reproduce?

Probably: Use a custom template from an older version.

Anything else?

No response

[adnsimona]

Though what leaves us puzzled, is the following from the keycloak documentation:
"It is possible to omit the confirmation and do automatic redirect to the application when you include parameter post_logout_redirect_uri together with the parameter id_token_hint with the ID Token used for login."
They are both included in the url, but it still throws 404, probably searching for the confirmation page.

[adnsimona]

Also the custom theme / login inherits from keycloak theme, that inherits from base, so the deafult confirmation page should be there.

[adnsimona]

Additional info: we upgraded from 14, and the new 18 version is from a legacy docker image, so we still use WildFly.

[adnsimona]

We discovered that the id_token_hint, that keycloak-js provides are not exactly the same as the token we got from the backend.
e.g. the "typ" is ID vs. Bearer, And the aud is different.
We also tried to replace the keycloak-js generated token to the Bearer in the url, but still getting the 404.

[adnsimona]

Also when the post_logout_redirect_uri was https://---oursite---.org/some_subpage, and we got 404, we replaced it with https://---oursite---.org in the url, and pressed enter, and it logged out correctly, and arrived on the login page.
But now we tried to send the redirectUri from frontend using keycloak-js set to https://---oursite---.org, that set the post_logout_redirect_uri to https://---oursite---.org, and we still get 404.

[adnsimona]

Additional info: we use the same docker image with same setup locally and on the server.
Locally logout works correctly.
The only exception is that on the server we are setting the KEYCLOAK_FRONTEND_URL to https://---oursite---.org/auth/ (This worked so far)
and on the server the requests/responses are going through nginx. Maybe nginx not forwarding the full large url? I'm checking that next.

[adnsimona]

We found that the issue is the query limitation in IIS.
The logout url length with the query was 2800 chars.
This brings up an other idea though: Wouldn't it be nicer to make the logout a POST request and send the token_id_hint and the post_logout_redirect_uri in the body?

[hendisantika]

So, how do you fix the issue @adnsimona . I have some issue.
Thanks

[mposolda]

@adnsimona Glad that you figured the issue. Sorry for the late response. Some alternative solution is (should surely work in Keycloak 19, not 100% sure if supported in Keycloak 18) that instead of using OIDC logout GET request, you can use POST request. This should help with the query limit. Using the POST request for the logout is currently not supported in the OIDC javascript adapter. I think it can be supported to add the flag option for the keycloak.js logout method to use the POST method for the logout instead of the GET method. So this would be purely task for the javascript adapter (nothing needed on the Keycloak server).

Considering this, I am moving this to the area/adapter/javascript and also I am adding label "Help wanted" as Keycloak team won't have time to look at this in the near future, so it would need to be a community contribution

[mduzgun]

It is related nginx configuration. nginx has character limitation in default configuration.
For fixing, we added this parameter in nginx conf:

proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;