[keycloak-dev] Improving SSO logout performance

Marek Posolda mposolda at redhat.com
Thu Feb 11 15:50:39 EST 2016 

If application initiates logout via servletRequest.logout, the adapter 
is using backchannel  request to this endpoint - 
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L178 
. It is authenticated by client credentials and hence is aware which 
client initiated the logout. There is also refreshToken and we have the 
clientSession available in this refresh token. This is not OIDC standard 
though, but we have that. So we can easily ommit this clientSession from 
backchannel logout request by ResourceAdminManager.

Marek

On 11/02/16 21:08, Bill Burke wrote:
> Also, OIDC adapter needs a ?GLO=true option like saml does.
>
> For SAML it would be easy to implement this optimization.  I don't think
> OIDC has a way to determine who sent the logout reqest.
>
> On 2/11/2016 2:43 PM, Bill Burke wrote:
>> There's also the option of doing logout via iframes in the browser. This
>> might be very useful for apps that need a browser logout.
>>
>> On 2/11/2016 11:57 AM, Marek Posolda wrote:
>>> Few things, which we can possibly do:
>>>
>>> - Currently when application initiates logout through
>>> servletRequest.logout , it sends request to Keycloak logout endpoint.
>>> This endpoint then sends backchannel request to all logged clients with
>>> registered admin URL. I think we can improve here and not send request
>>> to the original application, which initiated logout.
>>>
>>> For example: When product-portal application initiates logout through
>>> servletRequest.logout, the adapter itself should be already able to do
>>> all logout actions on it's side (invalidate httpSession etc) and there
>>> is no need to send another request from keycloak to product-portal to
>>> logout same httpSession.
>>>
>>> - Backchannel logout requests send by Keycloak (ResourceAdminManager)
>>> could be send in parallel. Currently they are send sequentially, which
>>> is not very optimal.
>>>
>>> WDYT?
>>>
>>> Marek
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list