[keycloak-dev] identity broker changes

Stian Thorgersen stian at redhat.com
Thu Mar 26 01:35:34 EDT 2015 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 26 March, 2015 12:23:15 AM
> Subject: Re: [keycloak-dev] identity broker changes
> 
> Finished backchannel logout for oidc and saml.  Created a "Keycloak
> OIDC" type that handles our logout protocol.  had to make changes to
> UserSessionProvider and Model to get this to work (and work
> efficiently).  I think I fixed facebook and github login, but I haven't
> tested it yet.

Nice, so we're now implementing the complete openid connect session management spec?

> 
> Still need to:
> * Make sure appliance works (all the module dependency stuff)
> * Write automated tests
> * Auto-import certificate for OIDC validation and .well-known address

I assume by auto-import you mean that someone can add an IdP by just supplying the .well-known address?

> * Review to make sure error handling is correct.  Tests too for this.
> 
> Gonna take me awhile to write all the tests :(
> 
> 
> 
> On 3/20/2015 7:07 PM, Bill Burke wrote:
> > SPI has changed to support logout and multiple callback endpoints (i.e.
> > keycloak oidc chaining will require a logout callback).  This SPI is
> > quite complex, so I don't think we want to expose this to users.  I'm
> > not very happy with it, but I'm not sure how to improve it yet.
> >
> > What works now:
> > * If logged in via a SAML broker, a keycloak initiated browser logout
> > will log out of the SAML broker too.
> >
> > What do I still need to do:
> > * Make "UPdate profile" false by default.
> > * Improve saml admin console page.
> > * Implement OIDC broker keycloak initiated browser logout.
> > * Implement OIDC logout endpoint so that I can test OIDC brokering with
> > Keycloak as a parent.
> > * Implement SAML backchannel logout where the parent IDP sends a
> > backchannel logout request.
> > * Create a new "Keycloak OIDC" provider which extends OIDC and adds
> > keycloak extensions like logout.
> > * Review to make sure error handling is correct.
> >
> > So, still a lot to do, but I'm at a milestone.
> >
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list