In my web application I have a logout mechanism that redirects to the Keycloak logout page /auth/realms/account-1/protocol/openid-connect/logout, which looks like this:
Clicking the Logout button, a request is being sent to:
POST /auth/realms/account-1/protocol/openid-connect/logout/logout-confirm?client_id=account&tab_id=hvJMKC-Rbbc
And the response headers are clearing most of the cookies using the Expire flag:
HTTP/2 200
content-language: en
content-security-policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
content-type: text/html;charset=utf-8
referrer-policy: no-referrer
set-cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/account-1/; HttpOnly
set-cookie: KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/account-1/; HttpOnly
set-cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/account-1/
set-cookie: KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/account-1/
set-cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/account-1; HttpOnly
set-cookie: KEYCLOAK_IDENTITY_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/account-1; HttpOnly
set-cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/account-1
set-cookie: KEYCLOAK_SESSION_LEGACY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/account-1
set-cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/account-1/; HttpOnly
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-robots-tag: none
x-xss-protection: 1; mode=block
content-length: 1745
date: Wed, 06 Dec 2023 10:20:13 GMT
X-Firefox-Spdy: h2
But some headers like kc-access and kc-access-1 remain and those headers are basically just a JWT that can easily be decoded to gain personal user information like given_name, family_name and email.
What am I doing wrong? Why is Keycloak not removing those? Is it possible to get Keycloak to perform a complete and clean logout?
In other questions like Keycloak logout request does not log out user
people are suggesting to use query parameters id_token_hint and post_logout_redirect_uri. I don't like this idea though. Essentially, if I wanted to use these parameters, I would have to make the logout button run dynamic code instead of having a JS-independent link that just always works. One bug in my application could mean the logout button stops working.
One alternative that people are suggesting is using client_id along with post_logout_redirect_uri, but I have tried that and it still doesn't get rid of cookies like kc-access.
I also couldn't find any information on why some cookies are kept in these docs. It just mentions that it works according to spec, which I guess means the OpenID Specifications. But I couldn't find anything about kc-access in the spec.