[keycloak-dev] openid connect iframe logout
Bill Burke
bburke at redhat.com
Thu May 8 22:05:26 EDT 2014
I'm looking at:
http://openid.net/specs/openid-connect-session-1_0.html
I don't think using iframes for single log out is any better than what
we're currently doing and planning on doing for keycloak.js.
For the OpenID Iframe technique, if our global login cookies are
HttpOnly, then the OP Iframe will have to do a periodic "ping" request
to the server to test the cookie. This is really no different than the
current plan to expire login sessions and invalidate refresh token
requests based on on a login-session id. I say this because there is
still a time element involved where there is a window from when the user
logs out and either the periodic "ping" hasn't been executed yet (openid
connect iframe technique), or the access token hasn't expired yet.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list