Skip to content
This repository has been archived by the owner on Apr 19, 2023. It is now read-only.

document compatibility mode for oidc logout endpoint suppression #1658

Merged
merged 1 commit into from Aug 10, 2022
Merged

document compatibility mode for oidc logout endpoint suppression #1658

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion upgrading/topics/keycloak/changes-18_0_0.adoc
View file
Open in desktop
Expand Up @@ -68,7 +68,7 @@ endif::[]

With this configuration, you can still use the format with the `redirect_uri` parameter. Note the confirmation screen will be needed if the `id_token_hint` is omitted.

WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 21. You are encouraged to update your clients as soon as possible
WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible
as described above rather than rely on this switch.

= Removal of the `upload-scripts` feature
Expand Down
31 changes: 31 additions & 0 deletions upgrading/topics/keycloak/changes-19_0_2.adoc
View file
Open in desktop
@@ -0,0 +1,31 @@
= OpenID Connect Logout Prompt
At Keycloak 18.0.0, the logout is now compatible with the new OIDC specification, which changed the handling for the url parameters. However, to also remain compatible with earlier versions, a compatibility flag is introduced. See the link:{upgradingguide_link}#openid-connect-logout[{upgradingguide_name}] for further information for the backwards compatibility option, which allows your application to still use the old format for the url parameters.

While the url parameters can now be configured to be compatible, there was still one incompatibility with keycloak 17 and earlier releases. If the user does not provide an valid `idTokenHint`, a logout prompt appears instead of a successful logout redirect. Therefore, a new compatibility flag `suppress-logout-confirmation-screen` is introduced to suppress the logout screen.

ifeval::["{kc_dist}" == "quarkus"]
You can enable this parameter when you start the server by entering the following command:

```
bin/kc.[sh|bat] --spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true start
```
endif::[]

ifeval::["{kc_dist}" == "wildfly"]
You can enable this parameter by including the following configuration in the `standalone-*.xml` file

[source,bash,subs=+attributes]
----
<spi name="login-protocol">
<provider name="openid-connect" enabled="true">
<properties>
<property name="suppress-logout-confirmation-screen" value="true"/>
</properties>
</provider>
</spi>
----
endif::[]

With this configuration, you can still use the logout endpoint without a user prompt.

WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.
4 changes: 4 additions & 0 deletions upgrading/topics/keycloak/changes.adoc
View file
Open in desktop
@@ -1,5 +1,9 @@
== Migration Changes

=== Migrating to 19.0.2

include::changes-19_0_2.adoc[leveloffset=3]

=== Migrating to 19.0.0

include::changes-19_0_0.adoc[leveloffset=3]
Expand Down