(help) unable correct logout

Securing applications
,
1

Greetings colleagues! Implementing kc to restrict access to hosts.
Stack:

  1. Debian, docker-compose
  2. Traefik (reverse-proxy), letsencrypt
  3. keycloak over thomseddon/traefik-forward-auth:2

Also, to set up kc, I used the manual geek-cookbook.\funkypenguin.\co.\nz/recipes/keycloak/setup-oidc-provider/
The login form (when accessing test.example.com) redirects to keycloak. Authorization works. The forwarding is correct.
But logout does not work correctly. To logout successfully user has to go test.\examlpe.\com/_oauth/logout, after that he immediately has to go keycloak.\example.\com/auth/admin/master/console and press logout. Otherwise, the user remains logged in.

Please help me understand the problem. Why logout is incorrect?

Config:



version: '3'
services:
  trfk:
    image: traefik:2.6
    networks:
      - dev
    container_name: srv_traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml:ro
      - ./custom/:/custom/:ro
      - ./acme.json:/acme.json
    command:
      --entryPoints.http.address=:80
      --entryPoints.http.http.redirections.entryPoint.to=https
      --entryPoints.http.http.redirections.entryPoint.scheme=https
      --entryPoints.https.address=:443
      --entrypoints.https.http.middlewares=traefik-forward-auth
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.\example.\com`)"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
      
  traefik-forward-auth:
    networks:
      - dev
    container_name: srv_oauth
    restart: unless-stopped
    image: thomseddon/traefik-forward-auth:2
    command:
      - "--default-provider=oidc"
      - "--providers.oidc.issuer-url=https://keyc.\example.\com/auth/realms/master"
      - "--providers.oidc.client-id=my-traefik-forward-auth"
      - "--providers.oidc.client-secret=111111111111111111111111111111111111"
      - "--secret=222222222222222222222222222222222222"
      - "--insecure-cookie"
      - "--cookie-domain=example.com"
      - "--auth-host=auth.example.com"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-forward-auth.entrypoints=https"
      - "traefik.http.routers.traefik-forward-auth.tls=true"
      - "traefik.http.routers.traefik-forward-auth.tls.certresolver=letsEncrypt"
      - "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.\example.\com`)"
      - "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"

  keyc:
    networks:
      - dev
    image: jboss/keycloak:16
    depends_on:
      - keypg
    environment:
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: admin
      DB_VENDOR: postgres
      DB_ADDR: key
      DB_USER: key
      DB_PASSWORD: pass
      PROXY_ADDRESS_FORWARDING: 'true'
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.keyc.rule=Host(`keyc.\example.\com`)"
      - "traefik.http.routers.keyc.service=keyc"
      - "traefik.http.routers.keyc.entrypoints=https"
      - "traefik.http.services.keyc.loadbalancer.server.port=8080"
      - "traefik.http.routers.keyc.tls=true"
      - "traefik.http.routers.keyc.tls.certresolver=letsEncrypt"
      - "traefik.http.services.keyc.loadbalancer.passhostheader=true"

  keypg:
    networks:
      - dev
    image: postgres:12
    volumes:
      - ./key-pg:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: key
      POSTGRES_USER: key
      POSTGRES_PASSWORD: pass
  test:
    image: containous/whoami
    container_name: srv_test
    restart: always
    networks:
      - dev
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.\example.\com`)"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
      - "traefik.http.routers.whoami.service=whoami"
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.entrypoints=https"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=letsEncrypt"