From 9dc425639cdb9cfd588e195fdf3137dd63d671ed Mon Sep 17 00:00:00 2001
From: "rd.houdayer" <rd.houdayer@gmail.com>
Date: Sat, 15 Mar 2025 10:17:44 -0400
Subject: [PATCH 1/2] Add a clean logout with Keycloak

---
 src/HybridAuthLoginExtension.php | 38 ++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/HybridAuthLoginExtension.php b/src/HybridAuthLoginExtension.php
index eba270c..0229c07 100644
--- a/src/HybridAuthLoginExtension.php
+++ b/src/HybridAuthLoginExtension.php
@@ -323,15 +323,35 @@ private static function GetProviderName()
 	 */
 	public function LogoutAction()
 	{
-		if (utils::StartsWith(Session::Get('login_mode'), 'hybridauth-'))
-		{
-			$oAuthAdapter = self::ConnectHybridAuth();
-			// Does not redirect...
-			// and actually just clears the session variable,
-			// almost useless we can log again without any further user interaction
-			// At least it disconnects from iTop
-			$oAuthAdapter->disconnect();
-		}
+		$loginMode = Session::Get('login_mode');
+	  if ($loginMode === 'hybridauth-Keycloak')
+	  {
+			// Allow a clean logout with Keycloak 
+	    $oAuthAdapter = self::ConnectHybridAuth();
+	    $providers = Config::Get('providers');
+
+	    $keycloakServer = $providers['Keycloak']['url'];
+	    $realmName = $providers['Keycloak']['realm'];
+	    $clientId = $providers['Keycloak']['keys']['id'];
+
+	    $redirectUri = utils::GetAbsoluteUrlAppRoot().'pages/UI.php';
+	    $logoutUrl = "{$keycloakServer}/realms/{$realmName}/protocol/openid-connect/logout?post_logout_redirect_uri={$redirectUri}&client_id={$clientId}";
+
+	    // Disconnection from iTop
+	    $oAuthAdapter->disconnect();
+
+	    // Redirection to Keycloak
+	    header("Location: $logoutUrl");
+	  }
+	  else if (utils::StartsWith($loginMode, 'hybridauth-'))
+	  {
+	    $oAuthAdapter = self::ConnectHybridAuth();
+	    // Does not redirect...
+	    // and actually just clears the session variable,
+	    // almost useless we can log again without any further user interaction
+	    // At least it disconnects from iTop
+	    $oAuthAdapter->disconnect();
+	  }
 	}
 
 	private function DoUserProvisioning(string $sLoginMode)

From 1dd1ae813358126a8ed7a2195cdbe77a74fae75c Mon Sep 17 00:00:00 2001
From: "rd.houdayer" <rd.houdayer@gmail.com>
Date: Sat, 15 Mar 2025 10:30:27 -0400
Subject: [PATCH 2/2] Remove tabulation

---
 src/HybridAuthLoginExtension.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/HybridAuthLoginExtension.php b/src/HybridAuthLoginExtension.php
index 0229c07..32bbda9 100644
--- a/src/HybridAuthLoginExtension.php
+++ b/src/HybridAuthLoginExtension.php
@@ -326,7 +326,7 @@ public function LogoutAction()
 		$loginMode = Session::Get('login_mode');
 	  if ($loginMode === 'hybridauth-Keycloak')
 	  {
-			// Allow a clean logout with Keycloak 
+		  // Allow a clean logout with Keycloak 
 	    $oAuthAdapter = self::ConnectHybridAuth();
 	    $providers = Config::Get('providers');
 
@@ -342,7 +342,7 @@ public function LogoutAction()
 
 	    // Redirection to Keycloak
 	    header("Location: $logoutUrl");
-	  }
+	  } 
 	  else if (utils::StartsWith($loginMode, 'hybridauth-'))
 	  {
 	    $oAuthAdapter = self::ConnectHybridAuth();