keycloak · dasniko · Sep 3, 2025
@@ -3172,6 +3172,8 @@ defaultValueHelp=Default value when attribute value is not specified.
 to the attribute. For that, make sure to use any of the built-in validators to properly validate the size and the values.
 sendIdTokenOnLogout=Send 'id_token_hint' in logout requests
 sendIdTokenOnLogoutHelp=If the 'id_token_hint' parameter should be sent in logout requests.
+sendLogoutHintOnLogout=Send 'logout_hint' in logout requests
+sendLogoutHintOnLogoutHelp=If enabled, the 'logout_hint' parameter in the logout request will be added with the value of the 'login_hint' parameter from the id_token.
 sendClientIdOnLogout=Send 'client_id' in logout requests
 sendClientIdOnLogoutHelp=If the 'client_id' parameter should be sent in logout requests.
 addAttributeTranslationBtn=Add translation button

@@ -98,6 +98,11 @@ const Fields = ({ readOnly }: DescriptorSettingsProps) => {
           isDisabled={readOnly}
           stringify
         />
+        <DefaultSwitchControl
+          name="config.sendLogoutHintOnLogout"
+          label={t("sendLogoutHintOnLogout")}
+          stringify
+        />
         <DefaultSwitchControl
           name="config.sendClientIdOnLogout"
           label={t("sendClientIdOnLogout")}

@@ -51,6 +51,10 @@ export const ExtendedNonDiscoverySettings = () => {
           label="sendIdTokenOnLogout"
           defaultValue={"true"}
         />
+        <SwitchField
+          field="config.sendLogoutHintOnLogout"
+          label="sendLogoutHintOnLogout"
+        />
         <SwitchField
           field="config.sendClientIdOnLogout"
           label="sendClientIdOnLogout"

@@ -79,6 +79,7 @@
 import org.keycloak.sessions.AuthenticationSessionModel;
 import org.keycloak.util.JsonSerialization;
 import org.keycloak.util.TokenUtil;
+import org.keycloak.utils.StringUtil;
 import org.keycloak.vault.VaultStringSecret;
 
 import java.io.IOException;
@@ -173,6 +174,7 @@ protected void backchannelLogout(UserSessionModel userSession, String idToken) {
     public Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm) {
         if (getConfig().getLogoutUrl() == null || getConfig().getLogoutUrl().trim().equals("")) return null;
         String idToken = userSession.getNote(FEDERATED_ID_TOKEN);
+        String loginHint = extractLoginHintFromIdToken(idToken);
         if (getConfig().isBackchannelSupported()) {
             backchannelLogout(userSession, idToken);
             return null;
@@ -183,6 +185,9 @@ public Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSess
             if (getConfig().isSendIdTokenOnLogout() && idToken != null) {
                 logoutUri.queryParam("id_token_hint", idToken);
             }
+            if (getConfig().isSendLogoutHintOnLogout() && StringUtil.isNotBlank(loginHint)) {
+                logoutUri.queryParam("logout_hint", loginHint);
+            }
             if (getConfig().isSendClientIdOnLogout()) {
                 logoutUri.queryParam("client_id", getConfig().getClientId());
             }
@@ -196,6 +201,17 @@ public Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSess
         }
     }
 
+    protected String extractLoginHintFromIdToken(String idToken) {
+        if (StringUtil.isBlank(idToken)) return null;
+        try {
+            JsonNode jsonNode = JsonSerialization.readValue(parseTokenInput(idToken, false), JsonNode.class);
+            return jsonNode.path("login_hint").asText();
+        } catch (IOException | IdentityBrokerException e) {
+            logger.warn("Failed to extract loginHint from id_token.", e);
+            return null;
+        }
+    }
+
     @Override
     protected Response exchangeStoredToken(UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) {
         FederatedIdentityModel model = session.users().getFederatedIdentity(authorizedClient.getRealm(), tokenSubject, getConfig().getAlias());

@@ -16,12 +16,12 @@
  */
 package org.keycloak.broker.oidc;
 
-import static org.keycloak.common.util.UriUtils.checkUrl;
-
 import org.keycloak.common.enums.SslRequired;
 import org.keycloak.models.IdentityProviderModel;
 import org.keycloak.models.RealmModel;
 
+import static org.keycloak.common.util.UriUtils.checkUrl;
+
 /**
  * @author Pedro Igor
  */
@@ -80,6 +80,14 @@ public void setSendIdTokenOnLogout(boolean value) {
         getConfig().put("sendIdTokenOnLogout", Boolean.valueOf(value).toString());
     }
 
+    public boolean isSendLogoutHintOnLogout() {
+        return Boolean.parseBoolean(getConfig().getOrDefault("sendLogoutHintOnLogout", Boolean.TRUE.toString()));
+    }
+
+    public void setSendLogoutHintOnLogout(boolean value) {
+        getConfig().put("sendLogoutHintOnLogout", Boolean.valueOf(value).toString());
+    }
+
     public String getPublicKeySignatureVerifier() {
         return getConfig().get("publicKeySignatureVerifier");
     }