[keycloak-dev] social/broker errors
Bill Burke
bburke at redhat.com
Wed Mar 25 11:27:47 EDT 2015
So Salesforce IDP is the "parent" and Keycloak is the child? I think
Salesforce IDP should be logged out as well, because think of it this way
1. user logs out of keycloak app, but doesn't get logged out of Salesforce
2. user goes away form machine
3. Attacker sits down at desk
4. Attacker visits keycloak app
5. Still logged in at Salesforce, so keycloak app has a successful login
due to SSO.
I have
Currently, if you don't register a logout url for saml or oidc broker
providers, then logout isn't propagated to parent IDP. Parent to child
logout will always happen though. I have no controls in place for that.
I do not support logout for social providers.
We might want to have a prompt asking if the user should be logged out
from parent.
On 3/25/2015 11:02 AM, Marek Posolda wrote:
> Question about logout: Should logout always trigger parent broker logout
> even if "child" is not the initiator of parent SSO login?
>
> Some example: I have keycloak server on configured to login against
> Salesforce SAML broker
>
> 1) I login to Salesforce
> 2) Then I login to Keycloak with usage of Salesforce broker
> 3) Now I trigger logout from Keycloak. Should it trigger logout from
> Salesforce too? IMO it shouldn't as localhost:8081 wasn't the initiator
> of the Salesforce login (in step 1).
>
> Wdyt?
>
> Marek
>
>
> On 25.3.2015 14:57, Stian Thorgersen wrote:
>> Had a quick look at it and seems Facebook and GitHub return access
>> token response as form-url-encoded (access_token=<...>&foo=bar).
>>
>> Another thing I spotted was that I'm pretty sure we're not validating
>> the SSL connection when sending requests to the IdPs. We should drop
>> the SimpleHttp util I created and use something better (Apache or
>> RestEasy) and make sure it's possible to setup a truststore).
>> SimpleHttp was only created as we initially wanted the social lib to
>> be a reusable lightweight lib, but now it's only for KC so there's no
>> point in it and it's pretty crap for many reasons!
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Wednesday, 25 March, 2015 2:52:07 PM
>>> Subject: [keycloak-dev] social/broker errors
>>>
>>> I'll look into all the social/broker errors and test out on all social
>>> providers (again) after I finish up some logout work.
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list