[keycloak-dev] openid connect iframe logout

Bill Burke bburke at redhat.com
Fri May 9 09:16:50 EDT 2014 

Ok, I think I know why the ipframe technique exists:

Specifically to avoid network traffic.  From spec: " it is desirable to 
be able to check the login status at the OP without causing network 
traffic".

This could only work if our cookies were viewable in Javascript. (not 
HttpOnly).  But just Google "steal cross domain cookies" and you'll see 
why this just isn't a great idea.

On 5/9/2014 6:52 AM, Stian Thorgersen wrote:
> Added issues:
> * https://issues.jboss.org/browse/KEYCLOAK-450
> * https://issues.jboss.org/browse/KEYCLOAK-451
>
> I don't get the OpenID technique. Would it not be simpler to have a periodic XMLHttpRequest (or even better an async WebSocket) to retrieve the status of a session? The whole concept of iframes seems very hacky to me.
>
> I think what we have at the moment is good enough (at least for beta1), and we can look at this later.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Friday, 9 May, 2014 3:05:26 AM
>> Subject: [keycloak-dev] openid connect iframe logout
>>
>> I'm looking at:
>>
>> http://openid.net/specs/openid-connect-session-1_0.html
>>
>> I don't think using iframes for single log out is any better than what
>> we're currently doing and planning on doing for keycloak.js.
>>
>> For the OpenID Iframe technique, if our global login cookies are
>> HttpOnly, then the OP Iframe will have to do a periodic "ping" request
>> to the server to test the cookie.  This is really no different than the
>> current plan to expire login sessions and invalidate refresh token
>> requests based on on a login-session id.  I say this because there is
>> still a time element involved where there is a window from when the user
>> logs out and either the periodic "ping" hasn't been executed yet (openid
>> connect iframe technique), or the access token hasn't expired yet.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list