How to setup redirect uri after OIDC logout

[poidras]

I'm using ActiveMQ 2.41.0 wich is using Hawtio 4.2.0.

I got the ODIC login flow working fine with the hawtio-oidc.properties file as mentionned here :

# Documentation here : https://hawt.io/docs/oidc.html#_generic_openid_connect_authentication_in_hawtio


# URL of OpenID Connect Provider - the URL after which ".well-known/openid-configuration" can be appended for
# discovery purposes
provider =  https://myoidc-provider.mycompany.com/auth/realms/myrealm/
# OpenID client identifier
client_id = myartemis-client-id
# response mode according to https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
response_mode = fragment
# scope to request when performing OpenID authentication. MUST include "openid" and required permissions
scope = openid email profile
# redirect URI after OpenID authentication - must also be configured at provider side
redirect_uri = https://myartemis.mycompany.com/console
# challenge method according to https://datatracker.ietf.org/doc/html/rfc7636
code_challenge_method = S256
# prompt hint according to https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
prompt = login

# additional configuration for the server side

# if true, .well-known/openid-configuration will be fetched at server side. This is required
# for proper JWT access token validation
oidc.cacheConfig = true

# time in minutes to cache public keys from jwks_uri
jwks.cacheTime = 60

# a path for an array of roles found in JWT payload. Property placeholders can be used for parameterized parts
# of the path (like for Keycloak) - but only for properties from this particular file
# example for properly configured Entra ID token
#oidc.rolesPath = roles
# example for Keycloak with use-resource-role-mappings=true
oidc.rolesPath = resource_access.${client_id}.roles


# properties for role mapping. Each property with "roleMapping." prefix is used to map an original role
# from JWT token (found at ${oidc.rolesPath}) to a role used by the application
roleMapping.admin = admin

However I got question about logout flow. I did not find how to make hawtio to call our OIDC provider (btw Keycloak) end_session_endpoint with a post_logout_redirect_uri query param such as the "Log out" button (at top right corner ) :

• no longer simply call https://myoidc-provider.mycompany.com/auth/realms/myrealm/protocol/openid-connect/logout

• but call https://myoidc-provider.mycompany.com/auth/realms/myrealm/protocol/openid-connect/logout?post_logout_redirect_uri=https://myartemis.mycompany.com/console&client_id=myartemis-client-id

Is such use cases supported? Or do you have any workaround to indeed logout and redirect to the login page.

Best Regards,

Neal Poidras

[grgrzybek]

Hello

Thanks for your detailed query. I'm aware that the OIDC support is not yet complete. Your scenario is one of these missing features.
OIDC support was based on existing Keycloak support in Hawtio, but Keycloak uses dedicated keycloak.js library where hidden iframe, background session management and logout are working out of the box.

Initial support for OIDC was added to handle Microsoft Azure IDP and some endpoints are missing there.

Actually now I'm working on an overhaul of Hawtio security (which includes authentication methods), and I hope to handle this scenario soon.

Please be patient - soon we should have something ;)