GET /realms/[REALM_NAME]/protocol/openid-connect/logout?post_logout_redirect_uri=[...]&id_token_hint=[..very large jwt-token >4096..]
414
(Uri to long (link )302
.It seems that the logout URI path is to long. The default length of the keycloak quarkus service is 4096 bytes ( link ).
Set higher length for quarkus parameter quarkus.http.limits.max-initial-line-length ...
-quarkus.http.limits.max-initial-line-length=8192
QUARKUS_HTTP_LIMITS_MAX_INITIAL_LINE_LENGTH=8192
AFAIK, you should pass an ID token to the id_token_hint
and not and access token . From the OpenID Connect standard (section 2.RP-Initiated Logout) one can read:
This specification defines the following parameters that are used in the logout request at the Logout Endpoint:
id_token_hint RECOMMENDED. ID Token previously issued by the OP to the RP passed to the Logout Endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP.
So you need to pass id_token_hint=<id_token>
. You get the ID token by calling the token endpoint with the scope=openid
. For example, when a user logs in via browser if you request includes the scope=openid
you will get (along with the refresh and access tokens ) the user ID token .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.