[keycloak-dev] Improving SSO logout performance

Bill Burke bburke at redhat.com
Thu Feb 11 15:08:41 EST 2016


Also, OIDC adapter needs a ?GLO=true option like saml does.

For SAML it would be easy to implement this optimization.  I don't think 
OIDC has a way to determine who sent the logout reqest.

On 2/11/2016 2:43 PM, Bill Burke wrote:
> There's also the option of doing logout via iframes in the browser. This
> might be very useful for apps that need a browser logout.
>
> On 2/11/2016 11:57 AM, Marek Posolda wrote:
>> Few things, which we can possibly do:
>>
>> - Currently when application initiates logout through
>> servletRequest.logout , it sends request to Keycloak logout endpoint.
>> This endpoint then sends backchannel request to all logged clients with
>> registered admin URL. I think we can improve here and not send request
>> to the original application, which initiated logout.
>>
>> For example: When product-portal application initiates logout through
>> servletRequest.logout, the adapter itself should be already able to do
>> all logout actions on it's side (invalidate httpSession etc) and there
>> is no need to send another request from keycloak to product-portal to
>> logout same httpSession.
>>
>> - Backchannel logout requests send by Keycloak (ResourceAdminManager)
>> could be send in parallel. Currently they are send sequentially, which
>> is not very optimal.
>>
>> WDYT?
>>
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com



More information about the keycloak-dev mailing list