From 8781aa3a5265c6beb813114a2550beab40a664f3 Mon Sep 17 00:00:00 2001
From: Thatsaphorn Atchariyaphap <thatsaphorn@outlook.de>
Date: Wed, 18 Jun 2025 00:46:12 +0900
Subject: [PATCH] Enhance `/logout` logic in `nginx.conf` to include
 `id_token_hint` in Keycloak logout URL and set `post_logout_redirect_uri`.

---
 nginx.conf | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/nginx.conf b/nginx.conf
index 9ffb913..91043d6 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -40,17 +40,19 @@ http {
 
     # Full logout: clears local session and redirects to Keycloak logout
     location = /logout {
-      limit_except GET POST { deny all; }  # allow both GET and POST
+      limit_except GET POST { deny all; }
 
       access_by_lua_block {
         local session = require("resty.session").start()
+        local id_token = session.data and session.data.id_token
         session:destroy()
 
-        local logout_url = os.getenv("KEYCLOAK_LOGOUT_URL")
-        if not logout_url then
-          ngx.status = 500
-          ngx.say("KEYCLOAK_LOGOUT_URL environment variable not set")
-          return
+        local redirect_uri = "https://demo.rhein-software.dev"
+        local logout_url = "https://sso.rhein-software.dev/realms/rheinsw/protocol/openid-connect/logout"
+                         .. "?post_logout_redirect_uri=" .. ngx.escape_uri(redirect_uri)
+
+        if id_token then
+          logout_url = logout_url .. "&id_token_hint=" .. ngx.escape_uri(id_token)
         end
 
         return ngx.redirect(logout_url)