Added setting of frontchannel.logout.url for keycloak

2025-08-18 17:55:09 +02:00 · 2025-08-17 10:38:25 +02:00 · 2025-08-17 10:38:25 +02:00 · fb7b3a3c8e
commit fb7b3a3c8e
parent 42f9ebad34
3 changed files with 19 additions and 9 deletions
--- a/roles/web-app-keycloak/tasks/02_update_client_redirects.yml
+++ b/roles/web-app-keycloak/tasks/02_update_client_redirects.yml
@ -54,11 +54,6 @@
         | select('string')
         | list | unique }}

-#- name: "Build post.logout.redirect.uris value ('+' plus explicit URIs without /*)"
-#  set_fact:
-#    kc_desired_post_logout_uris: >-
-#      {{ (['+'] + (kc_redirect_uris | map('regex_replace','/\\*$','') | list)) | join('\n') }}
-
 # 2) Resolve client id (strictly by provided clientId, no fallback)
 - name: "Resolve client internal id for {{ keycloak_client_id }}"
  shell: >
@ -104,15 +99,28 @@
    kc_desired_post_logout_uris_list: >-
      {{ "+" | split('\n') | reject('equalto','') | list | sort }}

+# after "Read current client configuration"
+- name: "Extract current frontchannel logout url"
+  set_fact:
+    kc_current_frontchannel_logout_url: >-
+      {{
+        (
+          (kc_client_obj.stdout | from_json).attributes['frontchannel.logout.url']
+          if 'frontchannel.logout.url' in (kc_client_obj.stdout | from_json).attributes
+          else ''
+        )
+      }}
+
 # 4) Update only when changed
- name: "Update redirectUris, webOrigins, post.logout.redirect.uris"
+- name: "Update client with redirectUris, webOrigins, frontchannelLogout"
  shell: >
    {{ keycloak_kcadm_path }} update clients/{{ kc_client.stdout }}
    -r {{ keycloak_realm }}
    -s 'redirectUris={{ kc_redirect_uris | to_json }}'
    -s 'webOrigins={{ kc_web_origins | to_json }}'
-    -s 'attributes."post.logout.redirect.uris"={{ kc_desired_post_logout_uris | to_json }}'
+    -s 'frontchannelLogout=true'
+    -s 'attributes."frontchannel.logout.url"={{ kc_desired_frontchannel_logout_url | to_json }}'
  when: kc_current_redirect_uris != kc_desired_redirect_uris
        or kc_current_web_origins  != kc_desired_web_origins
-        or kc_current_logout_uris  != kc_desired_post_logout_uris_list
+        or kc_current_frontchannel_logout_url != kc_desired_frontchannel_logout_url

--- a/roles/web-app-keycloak/templates/import/realm.json.j2
+++ b/roles/web-app-keycloak/templates/import/realm.json.j2
@ -527,9 +527,10 @@
      "directAccessGrantsEnabled": false,
      "serviceAccountsEnabled": false,
      "publicClient": true,
-      "frontchannelLogout": false,
+      "frontchannelLogout": true,
      "protocol": "openid-connect",
      "attributes": {
+        "frontchannel.logout.url": "{{ kc_desired_frontchannel_logout_url }}",
        "realm_client": "false",
        "oidc.ciba.grant.enabled": "false",
        "backchannel.logout.session.required": "true",
--- a/roles/web-app-keycloak/vars/main.yml
+++ b/roles/web-app-keycloak/vars/main.yml
@ -21,6 +21,7 @@ keycloak_client_id:                 "{{ OIDC.CLIENT.ID }}"
 keycloak_ldap_component_name:       "{{ ldap.server.domain }}"                                                                                    # Name of the LDAP User Federation component in Keycloak (as shown in UI)
 keycloak_import_realm:              "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}"               # Activate realm import  
 keycloak_update_ldap_bind:          "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}"           # Toggle the LDAP bind update step
+kc_desired_frontchannel_logout_url: "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/"

 # Docker 
 docker_compose_flush_handlers:      true                                                                                      # Remember to copy realm import before flush when set to true