[keycloak-dev] logout behavior changed

Bill Burke bburke at redhat.com
Sun Aug 10 10:47:24 EDT 2014

I changed how logout works.  It bothered me that there was no 
authentication and that anybody could just push any guessed session_id 
to /logout.  So, it is now split up into to forms of Logout:

* GET /realms/{realm}/tokens/logout?redirect_uri={}
I removed the session_state parameter.  This is a browser-based logout 
and requires the user to be logged in.  I still need to verify that the 
redirect_uri is a valid URI.
* POST /realms/{realm}/tokens/logout
Same form parameters and authentication required as a refresh token 
request.  A valid refresh token is required to be able to logout the 

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list