[keycloak-dev] identity broker changes

Bill Burke bburke at redhat.com
Fri Mar 20 19:07:02 EDT 2015


SPI has changed to support logout and multiple callback endpoints (i.e. 
keycloak oidc chaining will require a logout callback).  This SPI is 
quite complex, so I don't think we want to expose this to users.  I'm 
not very happy with it, but I'm not sure how to improve it yet.

What works now:
* If logged in via a SAML broker, a keycloak initiated browser logout 
will log out of the SAML broker too.

What do I still need to do:
* Make "UPdate profile" false by default.
* Improve saml admin console page.
* Implement OIDC broker keycloak initiated browser logout.
* Implement OIDC logout endpoint so that I can test OIDC brokering with 
Keycloak as a parent.
* Implement SAML backchannel logout where the parent IDP sends a 
backchannel logout request.
* Create a new "Keycloak OIDC" provider which extends OIDC and adds 
keycloak extensions like logout.
* Review to make sure error handling is correct.

So, still a lot to do, but I'm at a milestone.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list