Added setting of frontchannel.logout.url for keycloak

roles/web-app-keycloak/tasks/02_update_client_redirects.yml

@@ -54,11 +54,6 @@
          | select('string')
          | list | unique }}
 
-#- name: "Build post.logout.redirect.uris value ('+' plus explicit URIs without /*)"
-#  set_fact:
-#    kc_desired_post_logout_uris: >-
-#      {{ (['+'] + (kc_redirect_uris | map('regex_replace','/\\*$','') | list)) | join('\n') }}
-
 # 2) Resolve client id (strictly by provided clientId, no fallback)
 - name: "Resolve client internal id for {{ keycloak_client_id }}"
   shell: >
@@ -104,15 +99,28 @@
     kc_desired_post_logout_uris_list: >-
       {{ "+" | split('\n') | reject('equalto','') | list | sort }}
 
+# after "Read current client configuration"
+- name: "Extract current frontchannel logout url"
+  set_fact:
+    kc_current_frontchannel_logout_url: >-
+      {{
+        (
+          (kc_client_obj.stdout | from_json).attributes['frontchannel.logout.url']
+          if 'frontchannel.logout.url' in (kc_client_obj.stdout | from_json).attributes
+          else ''
+        )
+      }}
+
 # 4) Update only when changed
-- name: "Update redirectUris, webOrigins, post.logout.redirect.uris"
+- name: "Update client with redirectUris, webOrigins, frontchannelLogout"
   shell: >
     {{ keycloak_kcadm_path }} update clients/{{ kc_client.stdout }}
     -r {{ keycloak_realm }}
     -s 'redirectUris={{ kc_redirect_uris | to_json }}'
     -s 'webOrigins={{ kc_web_origins | to_json }}'
-    -s 'attributes."post.logout.redirect.uris"={{ kc_desired_post_logout_uris | to_json }}'
+    -s 'frontchannelLogout=true'
+    -s 'attributes."frontchannel.logout.url"={{ kc_desired_frontchannel_logout_url | to_json }}'
   when: kc_current_redirect_uris != kc_desired_redirect_uris
         or kc_current_web_origins  != kc_desired_web_origins
-        or kc_current_logout_uris  != kc_desired_post_logout_uris_list
+        or kc_current_frontchannel_logout_url != kc_desired_frontchannel_logout_url
 

roles/web-app-keycloak/templates/import/realm.json.j2

@@ -527,9 +527,10 @@
       "directAccessGrantsEnabled": false,
       "serviceAccountsEnabled": false,
       "publicClient": true,
-      "frontchannelLogout": false,
+      "frontchannelLogout": true,
       "protocol": "openid-connect",
       "attributes": {
+        "frontchannel.logout.url": "{{ kc_desired_frontchannel_logout_url }}",
         "realm_client": "false",
         "oidc.ciba.grant.enabled": "false",
         "backchannel.logout.session.required": "true",

roles/web-app-keycloak/vars/main.yml

@@ -21,6 +21,7 @@ keycloak_client_id:                 "{{ OIDC.CLIENT.ID }}"
 keycloak_ldap_component_name:       "{{ ldap.server.domain }}"                                                                                    # Name of the LDAP User Federation component in Keycloak (as shown in UI)
 keycloak_import_realm:              "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}"               # Activate realm import  
 keycloak_update_ldap_bind:          "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}"           # Toggle the LDAP bind update step
+kc_desired_frontchannel_logout_url: "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/"
 
 # Docker 
 docker_compose_flush_handlers:      true                                                                                      # Remember to copy realm import before flush when set to true