Keycloak 19.0.1 and Setting the id_token_hint
Created a blog some time ago setting up keycloak express and OIDC client and it happily worked fine with keycloak-17.0.0 and still does. On keycloak-19.0.2 same code completely falls over. (Note to self always set prerequisites on dependencies in blogs).
First issue I needed to enable Standard flow for the client in keycloak as I was seeing the following error in the logs
It’s in the Clients\Capability config section
Secondly I was using localhost for my uri’s in keycloak and in my code base and keycloak-19 did not play well with it. Changed everything to 127.0.0.1 and most routes started working again. With the exception of logout. I was hitting the following issue.
The keycloak logs had a similar error with more details.
So because I was using post_logout_redirect_uri I need to use either client_id or id_token_hint parameter. So I had three options
- stop using
post_logout_rediret_uri - add a
client_idparameter topost_logout_redirect_uri - add a
id_token_hintparameter topost_logout_redirect_uri
Stop using post_logout_redirect_uri
Remove it from the keycloakeIssuer.Client
Looks like this it prompts for a logout and leaves you at a keycloak logged out screen.
Add client_id parameter
We have set the client_id in the keycloakeIssuer.Client so it just a matter of setting it in the logout as a parameter
Looks like this as you can see it ask for another confirmation before redirecting to the app.
Add id_token_hint parameter
What is id_token_hint and how do I populate it?
Me I am terrible at reading/comprehending documentation and much prefer a good example. In this case I didn't find any examples. I found the following documentation referencing id_token_hint
- OpenID Connect RP-Initiated Logout which I found too abstract to formulate what to do to generating
id_token_hintor find it. - the node-oidc-client gave me a hint
There is a tokenSet object that is created as part of the passportjs strategy login flow. I inspected this object and found that it has a id_token and I made this id_token_hint = id_token and my issue was solved.
So I was using passwordjs and node-openid-client
Looks like this and is a much better user experience
Code lives here
