keycloak-scim/upgrading/topics/keycloak/changes-19_0_2.adoc

= OpenID Connect Logout Prompt
At Keycloak 18.0.0, the logout is now compatible with the new OIDC specification, which changed the handling for the url parameters. However, to also remain compatible with earlier versions, a compatibility flag is introduced. See the link:{upgradingguide_link}#openid-connect-logout[{upgradingguide_name}] for further information for the backwards compatibility option, which allows your application to still use the old format for the url parameters.

While the url parameters can now be configured to be compatible, there was still one incompatibility with keycloak 17 and earlier releases. If the user does not provide an valid `idTokenHint`, a logout prompt appears instead of a successful logout redirect. Therefore, a new compatibility flag `suppress-logout-confirmation-screen` is introduced to suppress the logout screen.

ifeval::["{kc_dist}" == "quarkus"]
You can enable this parameter when you start the server by entering the following command:

```
bin/kc.[sh|bat] --spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true start
```
endif::[]

ifeval::["{kc_dist}" == "wildfly"]
You can enable this parameter by including the following configuration in the `standalone-*.xml` file

[source,bash,subs=+attributes]
----
<spi name="login-protocol">
    <provider name="openid-connect" enabled="true">
        <properties>
            <property name="suppress-logout-confirmation-screen" value="true"/>
        </properties>
    </provider>
</spi>
----
endif::[]

With this configuration, you can still use the logout endpoint without a user prompt.

WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.