Keycloak logout response 414

Question

GET /realms/[REALM_NAME]/protocol/openid-connect/logout?post_logout_redirect_uri=[...]&id_token_hint=[..very large jwt-token >4096..]

• Response 414 (Uri to long (link )
• Keycloak version: v20.0.1
• Expected: Successful logout redirect. The above request should response 302 .

Answer 1

It seems that the logout URI path is to long. The default length of the keycloak quarkus service is 4096 bytes ( link ).

• this occur when Your id_token_hint is to large

Set higher length for quarkus parameter quarkus.http.limits.max-initial-line-length ...

• as java parameter -quarkus.http.limits.max-initial-line-length=8192
• or environment variable QUARKUS_HTTP_LIMITS_MAX_INITIAL_LINE_LENGTH=8192

Answer 2

AFAIK, you should pass an ID token to the id_token_hint and not and access token . From the OpenID Connect standard (section 2.RP-Initiated Logout) one can read:

This specification defines the following parameters that are used in the logout request at the Logout Endpoint:

id_token_hint RECOMMENDED. ID Token previously issued by the OP to the RP passed to the Logout Endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP.

So you need to pass id_token_hint=<id_token> . You get the ID token by calling the token endpoint with the scope=openid . For example, when a user logs in via browser if you request includes the scope=openid you will get (along with the refresh and access tokens ) the user ID token .