Logout Failure with Keycloak OIDC Integration on Moodle 4.5.4+

Logout Failure with Keycloak OIDC Integration on Moodle 4.5.4+

by Rishabh Arya -
Number of replies: 6

Hi Moodle Community,

I’m currently integrating Keycloak with Moodle using the core auth_oidc plugin on Moodle 4.5.4+ (Build 20250509). Login works perfectly, but I’m encountering issues when trying to log out.

Symptoms:

  • Clicking Logout in Moodle redirects me to: http://<keycloak-server>/realms/myrealm/protocol/openid-connect/logout

  • Keycloak shows the “Do you want to logout?” confirmation page.

  • After confirming, it shows Logout Failure and does not redirect back to Moodle instead redirect to  http://<keycloak-server>/realms/myrealm/protocol/openid-connect/logout/logout-confirm?client_id=account&tab_id=...

What I’ve tried so far:

  1. Verified Moodle OIDC plugin settings:

    • End Session Endpoint set to /protocol/openid-connect/logout

  2. Keycloak client configuration:

    • Frontchannel Logout enabled

    • Post Logout Redirect URI added: http://<moodle-server>/*

Question:
Has anyone successfully configured Moodle 4.5+ with Keycloak OIDC logout? How can I ensure user logout correctly and redirects back to Moodle?

Any guidance or patch suggestions would be greatly appreciated.

Thanks in advance!

Average of ratings: -
In reply to Rishabh Arya

Logout Failure with Keycloak OIDC Integration on Moodle 4.5.4+

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Yes!  I have this exact setup...but....I did hack core code a little!  Under backchannel logout I have https://"keycloak"/realms/"myrealm"/protocol/openid-connect/logout though not 100% you need that.  I also have my moodle url under post logout url.  

In moodle, I changed the following in login/logout.php file.

//    $redirect = $CFG->wwwroot.'/';

    $redirect = 'https://"keycloak"/realms/"myrealm"/protocol/openid-connect/logout?client_id="clientid"';

}

Replace everything in double quotes with your info.  Now, when I log out, Keycloak logs out correctly and gives a return to application link which links back to Moodle home page.

In reply to Emma Richardson

Logout Failure with Keycloak OIDC Integration on Moodle 4.5.4+

by Rishabh Arya -

Thanks a lot for the valuable feedback earlier.

I’ve tried the suggested changes and here’s what I did:

  1. Modified login/logout.php

    // can be overridden by auth plugins
    if ($login) {
        $redirect = get_login_url();
    } else {
        // $redirect = $CFG->wwwroot.'/';
        $redirect = "https://<keycloak>/realms/<myrealm>/protocol/openid-connect/logout?client_id=<client_id>";
    }
    

    Just to confirm — by <client_id>, this refers to the Keycloak client ID in <myrealm> that Moodle is registered under, correct?
    For example, if my client is called moodle-client, I just need to replace <client_id> with moodle-client (without quotes).

  2. Configured Backchannel Logout URL in Keycloak as:

    https://<keycloak>/realms/<myrealm>/protocol/openid-connect/logout
    
  3. Added Post Logout Redirect URI in Keycloak as:

    <moodle_url>
    

Result:
Despite these changes, I’m still getting the logout failure screen, and the redirect goes to:

https://<keycloak>/realms/<myrealm>/protocol/openid-connect/logout/logout-confirm?client_id=account&tab_id=dA7....


Am I missing a step in ensuring that Keycloak uses the moodle-client session (instead of defaulting to account) when logging out?

Thanks again for your help!

In reply to Emma Richardson

Logout Failure with Keycloak OIDC Integration on Moodle 4.5.4+

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
And you using a special plugin for this? Or are you setting this up under Server/Oauth2?
In reply to Emma Richardson

Logout Failure with Keycloak OIDC Integration on Moodle 4.5.4+

by Rishabh Arya -
Using the OpenID Connect Plugin.
OpenID Connect 4.5.2 (2024100710)

Getting it under Site administration->Plugins->Authentication->OpenID Connect
In reply to Rishabh Arya

Logout Failure with Keycloak OIDC Integration on Moodle 4.5.4+

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
Ok, I would just use the built in Oauth2 unless that plugin is giving you something extra - I have not worked with it so have no idea if that is a bug in the software or not.
In reply to Rishabh Arya

Logout Failure with Keycloak OIDC Integration on Moodle 4.5.4+

by Ken Task -
Picture of Particularly helpful Moodlers

Keycloak shows the “Do you want to logout?” confirmation page.

Are you sure it's Keycloak confirming or is it Moodle?
Using logout link from users drop down menu on a 4.5.highest site that uses manual,ldap, or Google Oauth2, the link shows 
a ?sesskey=lettersnumbers at the end.

Haven't verified, but assume that session key matches user in mdl_sessions table.   Moodle then blanks the user info in moodledata/sessions/fileassocitedwithuser

While you are figuring this out, maybe:

Drop down menus, a Logout reminder that says:
"Finished?  Then please logout!"
No link ... just a reminder.
Above appears clickable but goes no where.  Not what you want I know, but ....

And somewhere on front page maybe a link to a cybersecurity page about not logging out:

https://www.cybersecurity-insiders.com/can-failing-to-log-out-from-online-accounts-pose-a-cybersecurity-threat/

Bad habits are bad habits and hard to break!  Hopefully, users will not have to learn the 'hard way'!!!! sad

'SoS', Ken