[keycloak-dev] Session SPI for adapters
Stian Thorgersen
stian at redhat.com
Tue Oct 7 04:00:15 EDT 2014
----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 7 October, 2014 9:38:07 AM
> Subject: Re: [keycloak-dev] Session SPI for adapters
>
> On 7.10.2014 08:13, Stian Thorgersen wrote:
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Monday, 6 October, 2014 8:38:01 PM
> >> Subject: Re: [keycloak-dev] Session SPI for adapters
> >>
> >>
> >>
> >> On 10/6/2014 10:28 AM, Bill Burke wrote:
> >>>
> >>> On 10/6/2014 9:58 AM, Marek Posolda wrote:
> >>>> On 6.10.2014 15:26, Bill Burke wrote:
> >>>>>
> >>>>> A few more things:
> >>>>>
> >>>>> Stian made a good point that any extensions we do have to be
> >>>>> compatible with non keycloak pure oidc adapters. The thing is though,
> >>>>> OIDC doesn't have a logout request like SAML does. I'll ping pedro to
> >>>>> see if session information can be extracted from a logout request.
> >>>>>
> >>>> AFAIR SAML single-sign out is based on chain of browser redirections to
> >>>> all apps where you are logged. No "out-of-bound" requests . At least
> >>>> that's how picketlink is doing afaik (not 100% sure and not sure about
> >>>> SAML specs). So in this case logout request is browser-based and have
> >>>> access to JSESSIONID cookie. Hence there is no need to maintain
> >>>> sessionId in keycloak or any state on adapters as well. I am not 100%
> >>>> sure (will try to doublecheck..)
> >>>>
> >>> SAML has out-of-band logout requests too. At least thats what I think
> >>> Pedro told me.
> >>>
> >> For Picketlink SAML SPs, you either do a browse redirect protocol to
> >> each SP for Single Log out, or you do an out of band logout request to
> >> the SP. PL SAML SP adapter currently has the same problem as us in a
> >> cluster. They keep an in-memory map between username and http session.
> > Would it make sense to add redirect logout as well? Then you can set in the
> > admin console which logout mechanism you want (none, redirect or
> > out-of-band request?)
> For me it makes sense. Regarding SAML I looked briefly that specs
> supports both redirect and out-of-band . Redirect seems to be preferred
> according to SAML-Profiles-2.0, section 4.4.3.1:
>
> "The identity provider SHOULD then propagate any required logout
> messages to additional session participants as required using either a
> synchronous or asynchronous binding. The use of an asynchronous binding
> for the original request is preferred because it gives the identity
> provider the best chance of successfully propagating the logout to the
> other session participants during step 3."
>
> By asynchronous binding it's meant to propagate request through browser.
>
> It seems that supporting redirect will be good. Even if picketlink SP
> has some possible solution for out-of-band (which is not cluster-aware),
> for interoperability with other 3rd party SAML SPs redirect might be the
> only possibility.
I was wondering about adding an option to keycloak.js to allow storing the tokens in html5 session storage. Currently we don't store the tokens, but instead start a new client session every-time the screen is refreshed. If we added this logout redirect feature, that would make it possible to remove these tokens on logout as well.
>
> Marek
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
More information about the keycloak-dev
mailing list