revokeTokens and removeUser doesn't deauthenticate the user.

[dcp3450]

When the user logs out I call

auth.revokeTokens();
auth.removeUser();

But the user can still access a protected route and when I log

const auth = useAuth();
console.log(auth);

Auth shows user info and that they are still authenticated, including id_token

Is this a bug or is there a correct/better way to remove authentication?

[pamapa]

You will need to sign out from the authz server. They typically place a cookie in your browser to recognize you again... You can do so by calling signoutRedirect (https://github.com/authts/oidc-client-ts/blob/main/src/UserManager.ts#L470) or signoutPopup.

[dcp3450]

@pamapa That worked but it redirects the user to the keycloak "you've been logged out" page. Is there a way, with the library, to have the user redirected to a different location? I'd like the user redirected back to the login screen.

[dcp3450]

Further digging I found I could pass post_logout_redirect_uri into the method (auth.signoutRedirect({ post_logout_redirect_uri: <string | undefined> }))

[pamapa]

You can already setup post_logout_redirect_uri during configuration its part of OidcClientSettings too (see https://authts.github.io/oidc-client-ts/interfaces/OidcClientSettings.html#post_logout_redirect_uri)...

[hidaeraldo]

@pamapa I am having the same issue. after I call auth.signoutRedirect even though I pass the post_logout_redirect_uri as a param it is not redirected there. Also, I don't see an ?redirectUrl on the auth server logout URL.

[OctavoGuerrero]

You have to validate the post logout URL in keycloak client's configuration ("Valid post logout redirect URIs")