[keycloak-dev] Improving SSO logout performance

Marek Posolda mposolda at redhat.com
Thu Feb 11 16:02:25 EST 2016 

So you mean that we can have option to use logout iframe even in 
server-side applications? Same stuff like we have in keycloak.js?

I guess it should work, but not sure about security implications. For 
example the scenario like:
- User authenticated to customer-portal which is using iframe
- User opened tab with product-portal
- User closed the tab with customer-portal
- User sent logout request to product-portal. Now since the 
customer-portal wasn't opened in browser, it is not immediately 
available about logout and it's httpSession will be still valid. Session 
will be logged-out later once user opens the customer-portal. I guess 
it's not the big issue, the javascript apps also work the same way. But 
not sure...

Marek

On 11/02/16 20:43, Bill Burke wrote:
> There's also the option of doing logout via iframes in the browser. This
> might be very useful for apps that need a browser logout.
>
> On 2/11/2016 11:57 AM, Marek Posolda wrote:
>> Few things, which we can possibly do:
>>
>> - Currently when application initiates logout through
>> servletRequest.logout , it sends request to Keycloak logout endpoint.
>> This endpoint then sends backchannel request to all logged clients with
>> registered admin URL. I think we can improve here and not send request
>> to the original application, which initiated logout.
>>
>> For example: When product-portal application initiates logout through
>> servletRequest.logout, the adapter itself should be already able to do
>> all logout actions on it's side (invalidate httpSession etc) and there
>> is no need to send another request from keycloak to product-portal to
>> logout same httpSession.
>>
>> - Backchannel logout requests send by Keycloak (ResourceAdminManager)
>> could be send in parallel. Currently they are send sequentially, which
>> is not very optimal.
>>
>> WDYT?
>>
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list