Supabase OAuth Logout - Missing OAuth 'id_token' for 'id_token_hint' Parameter

Ask us anything
,
1

I am using Keycloak as OAuth Provider coupled with Supabase. When the user logs out, weweb should not only terminate the supabase session (-> Supabase Logout Action), but also terminate the keycloak session.

This can be done by calling the OIDC Endpoint ⁠⁠https://mydomain.com/realms/myrealm/protocol/openid-connect/logout with the query parameter ?id_token_hint (spec). For this I would need the id_token, which should be returned on login when passing openid as scope (Stackoverflow), but the token does not seem to be available in the weweb’s supabase auth object.

Is it possible to get the token? If not, could the supabase auth plugin be extended accordingly, so the token becomes available via the supabase auth object to logout from the (keycloak) oauth session seamlessly?

2

Hey @rikoentw :waving_hand:

Right now WeWeb’s Supabase auth object doesn’t expose the Keycloak id_token , so there isn’t a built‑in way to pass id_token_hint to the Keycloak logout endpoint directly. I’ll check with the team whether we can expose that token in the Supabase plugin, and in the meantime a possible workaround is to handle the Keycloak logout via a custom backend/Edge Function endpoint that has access to the id_token and calls the OIDC logout URL from there after the Supabase logout

3

Thanks for the confirmation!

Your suggested approach to logout via the backend would also make it necessary to login with the backend in order to get the id_token or can I get the required info via the passed auth token?

The addition of the id_token would be appreciated. :folded_hands: