I’m in the process of updating our Keycloak setup from version 16.1.1 to 24.0.5 using Docker Compose. During this update, I’ve encountered issues with the logout URL which seem to be resolved by setting the following environment variables:

environment:
  - KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
  - KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true

From Keycloak-quarkus dockerfiles Keycloak Docker image:

• KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI: Enables backward compatibility option legacy-logout-redirect-uri of OIDC login protocol in the server configuration (default value is false). Required for logout by UI of earlier archive version than 5.29.1.
• KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN: Enables suppression of logout confirmation screen if the user does not provide a valid idTokenHint (default value is false).

In Keycloak 19.0.0, there were notable changes related to OIDC Logout (Based on documentation):

• Support for the client_id parameter, which was added in the recent draft of the OIDC RP-Initiated Logout specification.
• Configuration option Valid Post Logout Redirect URIs was added to the OIDC client, aligned with the OIDC specification.

While these environment variables fix the logout issue, I am concerned about potential side effects, particularly regarding security vulnerabilities or other issues. My questions are:

1. What are the security implications of enabling KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI?
2. Could enabling KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN lead to any vulnerabilities or security risks?
3. Are there any best practices for managing logout behavior in Keycloak 24.0.5 that align with the latest OIDC specifications?

Any insights or recommendations from those who have navigated similar updates would be greatly appreciated.

I updated the Docker Compose file to include the environment variables KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true and KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true. This configuration successfully resolved the logout URL issue, and I was able to perform logout actions without any errors. I expected that by setting these environment variables, the logout process would work correctly without requiring additional modifications or causing any security issues. The logout process worked as expected, but I’m concerned about the potential long-term effects, particularly regarding security vulnerabilities or compatibility issues. I want to ensure that enabling these variables does not introduce new risks.