fix(auth): resolve invalid redirect uri on keycloak logout

USHER-PB · USHER-PB · commit 523a9e128167 · 2026-02-22T17:46:32.000+01:00
diff --git a/lgtm-stack/terraform/keycloak.tf b/lgtm-stack/terraform/keycloak.tf
@@ -36,7 +36,10 @@ resource "keycloak_openid_client" "grafana" {
   admin_url = "https://grafana.${var.monitoring_domain}"
 
   valid_redirect_uris = [
-    "https://grafana.${var.monitoring_domain}/login/generic_oauth"
+    "https://grafana.${var.monitoring_domain}/login/generic_oauth",
+    # Required for KC 18+ post-logout redirect to function correctly.
+    # Must perfectly match the post_logout_redirect_uri parameter sent by Grafana.
+    "https://grafana.${var.monitoring_domain}/login"
   ]
 
   web_origins = [
diff --git a/lgtm-stack/terraform/values/grafana-values.yaml b/lgtm-stack/terraform/values/grafana-values.yaml
@@ -114,7 +114,9 @@ grafana.ini:
 
     # Single Logout: after signing out of Grafana, the user is
     # also logged out of Keycloak and redirected back to login.
-    signout_redirect_url: ${keycloak_url}/realms/${keycloak_realm}/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fgrafana.${monitoring_domain}%2Flogin
+    # OpenID RP-Initiated Logout (KC 18+) requires the client_id to be sent 
+    # to authorize the post_logout_redirect_uri.
+    signout_redirect_url: ${keycloak_url}/realms/${keycloak_realm}/protocol/openid-connect/logout?client_id=grafana-oauth&post_logout_redirect_uri=https%3A%2F%2Fgrafana.${monitoring_domain}%2Flogin
 
 datasources:
   datasources.yaml:
