Share via

Issue with Azure AD Sign-Out Redirect from Keycloak - AADSTS90023 Error

vishnu udayan 0 Reputation points
2024-11-19T00:44:14.6666667+00:00

I'm encountering an issue with the sign-out process in my application, which uses Keycloak with OIDC to enable SSO with Azure AD. When attempting to sign out from a redirected URL, I receive the following error:

AADSTS90023: Invalid request. The request specified session id but did not specify issuer.

Here are some details about my setup:

  • The application is registered in Azure AD.
  • Keycloak is configured as the identity provider with OIDC. (keycloak version: 20.0.5)
  • The redirect URIs and logout URLs are set up in both Keycloak and Azure AD. [https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/logout?state=5a22609f-7f5d-4cd3-a23c-e5d032e96c48&id_token_hint={token}&post_logout_redirect_uri=https%3A%2F%2Fdomain%2Fsso%2Frealms%2Frealm%2Fbroker%2Foidc%2Fendpoint%2Flogout_response]

I've checked the following:

  1. The redirect URIs in both Keycloak and Azure AD match exactly.
  2. The OIDC settings, including client IDs and secrets, are correctly configured.
  3. The logout endpoint URL is correctly set.
  4. Session management settings seem to be in order.

Despite these checks, the error persists. Could anyone provide guidance on what might be causing this issue and how to resolve it?

Thank you

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,103 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 26,976 Reputation points Microsoft Employee
    2024-11-19T16:09:07.9533333+00:00

    Hi @vishnu udayan , it looks like the session_id parameter is being sent in the logout request, but the issuer parameter is missing. Both parameters are required in the logout request.

    Make sure that the issuer parameter is included in the logout request. The issuer parameter should contain the URL of the issuer of the ID token that was used to authenticate the user. In your case, this would be the URL of your Keycloak instance.

    Also verify that the id_token_hint parameter is included in the logout request. This parameter should contain the ID token that was used to authenticate the user.

    Here is an example of a properly formatted logout request:

    https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/logout?
post_logout_redirect_uri=https%3A%2F%2Fdomain%2Fsso%2Frealms%2Frealm%2Fbroker%2Foidc%2Fendpoint%2Flogout_response&
id_token_hint={id_token}&
session_state={session_state}&
issuer={issuer}

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.