Ragflow Oauth with Keycloak

[istvanduro]

I would like to authenticate Ragflow using Keycloak with OAuth. The login works perfectly, but unfortunately, during logout, the Keycloak session is not ended, meaning the end_session_endpoint is not being called. Does anyone know the correct solution to this problem?

[dosubot[bot]]

Hi @istvanduro! I'm Dosu and I’m helping the ragflow team.

Ragflow currently handles logout by clearing local session tokens and relies on the backend to return a 401 response to trigger logout, but it does not call the Keycloak end_session_endpoint—so the Keycloak session remains active and federated logout does not occur see discussion. The OIDC/OAuth client code loads provider metadata but does not use the end_session_endpoint for logout, and there’s no built-in logic to call it during logout see code.

To support full Keycloak logout, you’d need to extend the logout flow to call the end_session_endpoint from the OIDC metadata, likely by updating the OIDCClient and the logout controller to redirect the user or make a backend call to that endpoint. Make sure to handle post-logout redirect URIs and any required parameters for Keycloak. The code is modular, so adding this logic should be straightforward.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}