[keycloak-dev] social/broker errors
Marek Posolda
mposolda at redhat.com
Wed Mar 25 12:23:02 EDT 2015
On 25.3.2015 16:27, Bill Burke wrote:
> So Salesforce IDP is the "parent" and Keycloak is the child?
Yes
> I think Salesforce IDP should be logged out as well, because think
> of it this way
>
> 1. user logs out of keycloak app, but doesn't get logged out of
> Salesforce
> 2. user goes away form machine
> 3. Attacker sits down at desk
> 4. Attacker visits keycloak app
> 5. Still logged in at Salesforce, so keycloak app has a successful
> login due to SSO.
I see the point. However if you consider scenario like:
1. I am logged in salesforce.com and doing some important transactions there
2. Now I clicked to different browser tab and want to quickly check
something in some keycloak-secured-app. I logged-in to the app through
Keycloak + Salesforce broker
3. I checked calendar, clicked "logout" in Zimbra and I want to continue
back in Salesforce. But I am logged out from Salesforce... :-(
The prompt makes sense to me. At least for the cases when user was
logged in before. But not sure if there is a way to track this (In case
that Keycloak itself is parent broker, we can check if auth-method was
FORM (user just logged in) or SSO (user was already logged before)), but
that would require propagate this info from parent broker to child
broker too. Maybe easiest is to always display prompt?
Marek
>
> I have
>
> Currently, if you don't register a logout url for saml or oidc broker
> providers, then logout isn't propagated to parent IDP. Parent to child
> logout will always happen though. I have no controls in place for that.
>
> I do not support logout for social providers.
>
> We might want to have a prompt asking if the user should be logged out
> from parent.
>
>
>
> On 3/25/2015 11:02 AM, Marek Posolda wrote:
>> Question about logout: Should logout always trigger parent broker logout
>> even if "child" is not the initiator of parent SSO login?
>>
>> Some example: I have keycloak server on configured to login against
>> Salesforce SAML broker
>>
>> 1) I login to Salesforce
>> 2) Then I login to Keycloak with usage of Salesforce broker
>> 3) Now I trigger logout from Keycloak. Should it trigger logout from
>> Salesforce too? IMO it shouldn't as localhost:8081 wasn't the initiator
>> of the Salesforce login (in step 1).
>>
>> Wdyt?
>>
>> Marek
>>
>>
>> On 25.3.2015 14:57, Stian Thorgersen wrote:
>>> Had a quick look at it and seems Facebook and GitHub return access
>>> token response as form-url-encoded (access_token=<...>&foo=bar).
>>>
>>> Another thing I spotted was that I'm pretty sure we're not validating
>>> the SSL connection when sending requests to the IdPs. We should drop
>>> the SimpleHttp util I created and use something better (Apache or
>>> RestEasy) and make sure it's possible to setup a truststore).
>>> SimpleHttp was only created as we initially wanted the social lib to
>>> be a reusable lightweight lib, but now it's only for KC so there's no
>>> point in it and it's pretty crap for many reasons!
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Wednesday, 25 March, 2015 2:52:07 PM
>>>> Subject: [keycloak-dev] social/broker errors
>>>>
>>>> I'll look into all the social/broker errors and test out on all social
>>>> providers (again) after I finish up some logout work.
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
More information about the keycloak-dev
mailing list