[keycloak-dev] identity broker changes

[Bill Burke]

Finished backchannel logout for oidc and saml.  Created a "Keycloak 
OIDC" type that handles our logout protocol.  had to make changes to 
UserSessionProvider and Model to get this to work (and work 
efficiently).  I think I fixed facebook and github login, but I haven't 
tested it yet.

Still need to:
* Make sure appliance works (all the module dependency stuff)
* Write automated tests
* Auto-import certificate for OIDC validation and .well-known address
* Review to make sure error handling is correct.  Tests too for this.

Gonna take me awhile to write all the tests :(



On 3/20/2015 7:07 PM, Bill Burke wrote:
> SPI has changed to support logout and multiple callback endpoints (i.e.
> keycloak oidc chaining will require a logout callback).  This SPI is
> quite complex, so I don't think we want to expose this to users.  I'm
> not very happy with it, but I'm not sure how to improve it yet.
>
> What works now:
> * If logged in via a SAML broker, a keycloak initiated browser logout
> will log out of the SAML broker too.
>
> What do I still need to do:
> * Make "UPdate profile" false by default.
> * Improve saml admin console page.
> * Implement OIDC broker keycloak initiated browser logout.
> * Implement OIDC logout endpoint so that I can test OIDC brokering with
> Keycloak as a parent.
> * Implement SAML backchannel logout where the parent IDP sends a
> backchannel logout request.
> * Create a new "Keycloak OIDC" provider which extends OIDC and adds
> keycloak extensions like logout.
> * Review to make sure error handling is correct.
>
> So, still a lot to do, but I'm at a milestone.
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com