OIDC Logout URL

[joeftiger]

Hello everyone

I am evaluating dockerized MISP for the past few weeks in conjunction with Keycloak for OIDC.
Using MISP/misp-docker I have been able to provide a logout url for OIDC using their OIDC_LOGOUT_URL environment variable for successful logout and redirect to login page.
Their script part
In my case I used something along

OIDC_LOGOUT_URL=https://..../realms/{myrealm}/protocol/openid-connect/logout?client_id={myclient}

(Keycloak is unhappy if not specifying the client_id)

I noticed that for your docker image it is currently hardcoded inside the config.php template.
After clicking Logout in MISP I end up with 400 error on a Keycloak page:

Clicking Back to Application then leads me to the original Keycloak login webpage for MISP.

And as mentioned in your OIDC docs - Caveats the user is still logged into Keycloak.

May I suggest to provide a new environment variable like OIDC_LOGOUT_URL to allow overriding the current setting?
This would improve OIDC interaction and provide true logout capability for it.

Kind regards

[ondj]

Hello, logout URL is hardcoded, because it works together with OIDC module in Apache. So when user click logout, MISP application invalidate local session, then redirect to OIDC module that invalidates OIDC session and the user is redirected to Keycloak.

The Invalid redirect uri looks like the URL provided to Keycloak by Apache OIDC module is wrong. Can you please check your Keycloak setting and redirect_uri parameter in URL when this error message is shown?