[keycloak-dev] social/broker errors

Stian Thorgersen stian at redhat.com
Thu Mar 26 01:22:41 EDT 2015 

I don't like the idea of a prompt to the user. I'd rather have a configuration option on IdP to select when logout should be propagated:

* Always
* Only if used as log-in mechanism
* Never

Same goes for the other way around (user logs out of SalesForce).


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Marek Posolda" <mposolda at redhat.com>, "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 26 March, 2015 12:18:48 AM
> Subject: Re: [keycloak-dev] social/broker errors
> 
> 
> 
> On 3/25/2015 12:23 PM, Marek Posolda wrote:
> > On 25.3.2015 16:27, Bill Burke wrote:
> >> So Salesforce IDP is the "parent" and Keycloak is the child?
> > Yes
> >>   I think Salesforce IDP should be logged out as well, because think
> >> of it this way
> >>
> >> 1. user logs out of keycloak app, but doesn't get logged out of
> >> Salesforce
> >> 2. user goes away form machine
> >> 3. Attacker sits down at desk
> >> 4. Attacker visits keycloak app
> >> 5. Still logged in at Salesforce, so keycloak app has a successful
> >> login due to SSO.
> > I see the point. However if you consider scenario like:
> >
> > 1. I am logged in salesforce.com and doing some important transactions
> > there
> > 2. Now I clicked to different browser tab and want to quickly check
> > something in some keycloak-secured-app. I logged-in to the app through
> > Keycloak + Salesforce broker
> > 3. I checked calendar, clicked "logout" in Zimbra and I want to continue
> > back in Salesforce. But I am logged out from Salesforce... :-(
> >
> >
> > The prompt makes sense to me. At least for the cases when user was
> > logged in before. But not sure if there is a way to track this (In case
> > that Keycloak itself is parent broker, we can check if auth-method was
> > FORM (user just logged in) or SSO (user was already logged before)), but
> > that would require propagate this info from parent broker to child
> > broker too. Maybe easiest is to always display prompt?
> >
> 
> What should the prompt say?  User will have no idea what it means by
> "Should I logout of parent broker?"
> 
> Maybe "Logout of <broker> too?"
> 
> i.e.
> 
> "Logout of Saleforce too?"
> "Logout of Facebook too?"
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list