Enhance /logout logic in nginx.conf to include id_token_hint in Keycloak logout URL and set post_logout_redirect_uri.

2025-06-18 00:46:12 +09:00
parent bff8dd78f0
commit 8781aa3a52
1 changed files with 8 additions and 6 deletions
--- a/nginx.conf
+++ b/nginx.conf
@@ -40,17 +40,19 @@ http {

    # Full logout: clears local session and redirects to Keycloak logout
    location = /logout {
-      limit_except GET POST { deny all; }  # allow both GET and POST
+      limit_except GET POST { deny all; }

      access_by_lua_block {
        local session = require("resty.session").start()
+        local id_token = session.data and session.data.id_token
        session:destroy()

-        local logout_url = os.getenv("KEYCLOAK_LOGOUT_URL")
-        if not logout_url then
-          ngx.status = 500
-          ngx.say("KEYCLOAK_LOGOUT_URL environment variable not set")
-          return
+        local redirect_uri = "https://demo.rhein-software.dev"
+        local logout_url = "https://sso.rhein-software.dev/realms/rheinsw/protocol/openid-connect/logout"
+                         .. "?post_logout_redirect_uri=" .. ngx.escape_uri(redirect_uri)
+
+        if id_token then
+          logout_url = logout_url .. "&id_token_hint=" .. ngx.escape_uri(id_token)
        end

        return ngx.redirect(logout_url)