Logout with Keycloak 18+ not working

[j-qby]

Issue Summary Keycloak 18 has changed the logout mechanism to be more OIDC-compliant. It now requires a post_logout_redirect_uri (note the difference ..._uri vs. ..._url) and an id_token_hint for an RP-Initiated Logout. Previous versions used redirect_uri, implemented here:

https://github.com/alerta/alerta-webui/blob/e7575af4f3c38a6cdf9dbd1165b586a0849960c0/src/components/auth/ProfileMe.vue#L231-L237

Keycloak no longer accepts the query parameter and the logout fails with Invalid parameter: redirect_uri.

Environment

• OS: Linux

• API version: any

• Deployment: Docker, self-hosted, any...

• For self-hosted, WSGI environment: any

• Database: Postgres, any

• Server config: Auth enabled? Yes Auth provider? Keycloak Customer views? No (or provide the /config endpoint output)

• web UI version: latest master

• CLI version: latest master

To Reproduce Steps to reproduce the behavior:

1. Configure Alerta to use a Keycloak 18+ instance
2. Login
3. Profile > Logout
4. Observe error

We are sorry... Invalid parameter: redirect_uri

For web app issues, include any web browser JavaScript console errors.

Expected behavior Logout and redirect successful

Additional context I tried sending the this.$store.state.auth.token as id_token_hint but that failed. I guess it is the auth token, not the ID token.

To make it all happen, we would need to identify if a Keycloak instance previous to version 18 is used, or an 18+ one. Not sure if this can be identified from client side, or if the user needs to configure it explicitly. Also we need to store the ID token in order to send it on logout.