[keycloak-dev] social/broker errors
Bill Burke
bburke at redhat.com
Wed Mar 25 19:18:48 EDT 2015
On 3/25/2015 12:23 PM, Marek Posolda wrote:
> On 25.3.2015 16:27, Bill Burke wrote:
>> So Salesforce IDP is the "parent" and Keycloak is the child?
> Yes
>> I think Salesforce IDP should be logged out as well, because think
>> of it this way
>>
>> 1. user logs out of keycloak app, but doesn't get logged out of
>> Salesforce
>> 2. user goes away form machine
>> 3. Attacker sits down at desk
>> 4. Attacker visits keycloak app
>> 5. Still logged in at Salesforce, so keycloak app has a successful
>> login due to SSO.
> I see the point. However if you consider scenario like:
>
> 1. I am logged in salesforce.com and doing some important transactions
> there
> 2. Now I clicked to different browser tab and want to quickly check
> something in some keycloak-secured-app. I logged-in to the app through
> Keycloak + Salesforce broker
> 3. I checked calendar, clicked "logout" in Zimbra and I want to continue
> back in Salesforce. But I am logged out from Salesforce... :-(
>
>
> The prompt makes sense to me. At least for the cases when user was
> logged in before. But not sure if there is a way to track this (In case
> that Keycloak itself is parent broker, we can check if auth-method was
> FORM (user just logged in) or SSO (user was already logged before)), but
> that would require propagate this info from parent broker to child
> broker too. Maybe easiest is to always display prompt?
>
What should the prompt say? User will have no idea what it means by
"Should I logout of parent broker?"
Maybe "Logout of <broker> too?"
i.e.
"Logout of Saleforce too?"
"Logout of Facebook too?"
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list