# Keycloak

composer require socialiteproviders/keycloak

# Installation & Basic Usage

Please see the Base Installation Guide (opens new window), then follow the provider specific instructions below.

# Add configuration to config/services.php

'keycloak' => [
  'client_id' => env('KEYCLOAK_CLIENT_ID'),
  'client_secret' => env('KEYCLOAK_CLIENT_SECRET'),
  'redirect' => env('KEYCLOAK_REDIRECT_URI'),
  'base_url' => env('KEYCLOAK_BASE_URL'),   // Specify your keycloak server URL here
  'realms' => env('KEYCLOAK_REALM')         // Specify your keycloak realm
],

# Add provider event listener

# Laravel 11+

In Laravel 11, the default EventServiceProvider provider was removed. Instead, add the listener using the listen method on the Event facade, in your AppServiceProvider boot method.

  • Note: You do not need to add anything for the built-in socialite providers unless you override them with your own providers.
Event::listen(function (\SocialiteProviders\Manager\SocialiteWasCalled $event) {
    $event->extendSocialite('keycloak', \SocialiteProviders\Keycloak\Provider::class);
});
Laravel 10 or below Configure the package's listener to listen for `SocialiteWasCalled` events.

Add the event to your listen[] array in app/Providers/EventServiceProvider. See the Base Installation Guide (opens new window) for detailed instructions.

protected $listen = [
    \SocialiteProviders\Manager\SocialiteWasCalled::class => [
        // ... other providers
        \SocialiteProviders\Keycloak\KeycloakExtendSocialite::class.'@handle',
    ],
];

# Usage

You should now be able to use the provider like you would regularly use Socialite (assuming you have the facade installed):

return Socialite::driver('keycloak')->redirect();

To logout of your app and Keycloak:

public function logout() {
    // Logout of your app.
    Auth::logout();
    
    // The user will not be redirected back.
    return redirect(Socialite::driver('keycloak')->getLogoutUrl());
    
    // The URL the user is redirected to after logout.
    $redirectUri = Config::get('app.url');
    
    // Keycloak v18+ does support a post_logout_redirect_uri in combination with a
    // client_id or an id_token_hint parameter or both of them.
    // NOTE: You will need to set valid post logout redirect URI in Keycloak.
    return redirect(Socialite::driver('keycloak')->getLogoutUrl($redirectUri, env('KEYCLOAK_CLIENT_ID')));
    return redirect(Socialite::driver('keycloak')->getLogoutUrl($redirectUri, null, 'YOUR_ID_TOKEN_HINT'));
    return redirect(Socialite::driver('keycloak')->getLogoutUrl($redirectUri, env('KEYCLOAK_CLIENT_ID'), 'YOUR_ID_TOKEN_HINT'));
    
    // You may add additional allowed parameters as listed in
    // https://openid.net/specs/openid-connect-rpinitiated-1_0.html
    return redirect(Socialite::driver('keycloak')->getLogoutUrl($redirectUri, CLIENT_ID, null, ['state' => '...'], ['ui_locales' => 'de-DE']));
    
    // Keycloak before v18 does support a redirect URL
    // to redirect back to Keycloak.
    return redirect(Socialite::driver('keycloak')->getLogoutUrl($redirectUri));
}

# Keycloak <= 3.2

Keycloak below v3.2 requires no scopes to be set. Later versions require the openid scope for all requests.

return Socialite::driver('keycloak')->scopes([])->redirect();

See the upgrade guide (opens new window).