Keycloak/OIDC logout should no longer use redirect_uri in favour of post_logout_redirect_uri #21275
Description
Describe the bug
Keycloak (18+) no longer recommends the redirect_uri parameter during logout as the OpenID Connect RP-Initiated Logout spec now mandates post_logout_redirect_uri with id_token_hint as parameters. Galaxy’s logout flow still calls authnz/logout with redirect_uri only. As a result, keycloak does not redirect back to the login page upon completion of logout. This means we are not spec compliant and reliant on features that may be removed altogether.|
Furthermore, Galaxy currently relies on two separate HTTP calls from the client (user/logout then authnz/logout) to logout the Galaxy session, followed by the IdP session. This is buggy, because the Galaxy session is invalidated in the first call, so that by the time the provider-specific logout executes, the call is already sessionless and cannot provide an id_token_hint.
Galaxy Version and/or server at which you observed the bug
Details
Galaxy Version: v25.0.3-dev (v25.0.3-2646-gd2279b19c9) Commit: d703a3dTo Reproduce
Details
1. Configure Galaxy with a Keycloak 18+ OIDC provider via oidc_backends_config.xml, ensuring logout is enabled. 2. Start Galaxy from the commit above and log in via Keycloak. 3. Click “Log out” in the UI: the SPA issues POST /api/users/logout, which succeeds and clears the Galaxy session. 4. The SPA then calls POST /api/authnz/logout for the same provider. The backend now lacks the galaxy session and still posts only redirect_uri to Keycloak’s /protocol/openid-connect/logout. 5. Keycloak does not redirect back to the login page.Expected behavior
Galaxy should perform a single logout call that both clears the Galaxy session and triggers IdP logout while Galaxy still has access to the stored user session, sending post_logout_redirect_uri and id_token_hint so that the IdP logs the user out and redirects back to Galaxy (or the configured URL) without errors.
Screenshots
Details
Additional context
- The OpenID Connect RP-Initiated Logout spec now mandates post_logout_redirect_uri with id_token_hint; this is not Keycloak-specific (see https://stackoverflow.com/questions/71984843/keycloak-using-react-user-can-login-but-when-i-try-logout-i-get-a-message-inva).
- Galaxy currently relies on two separate HTTP calls (user/logout then authnz/logout), so the session is invalidated before the provider-specific logout executes.
- The backend should trigger IdP logout as part of user/logout (before clearing the PSA storage) and include both post_logout_redirect_uri and id_token_hint per the OIDC specification.