[keycloak-dev] Frontchannel logout based on iframes?

Bill Burke bburke at redhat.com
Wed May 3 09:23:14 EDT 2017

On 5/3/17 3:47 AM, Marek Posolda wrote:
> I went through the OIDC frontchannel logout specification draft [1] and
> realized that it relies a lot on the iframes instead of browser
> redirection. Basically OP would render HTML page with the hidden iframes
> containing the logout URL of clients like:
> <iframe src="frontchannel_logout_uri">
> I wonder if we should add some support for the iframes based approach
> for SAML too? It looks that many vendors including shibboleth (see [2])
> are using it as it seem to have lots of advantages over the redirection
> based. Like:
> - More reliable. With the redirection based approach used by SAML, the
> IDP needs to redirect browser to the client1, which then need to
> redirect back to IDP, which continues with redirection to client2 etc.
> Problem is, that if any client is broken, then whole flow will break and
> logout won't be finished properly.
> - Better performance. Logout requests would be sent concurrently to all
> the clients.
> - Better for cross-dc as there is no need for more writes to userSession
> cache. IDP would just render the html with iframes in single request and
> then remove userSession entirely.
> Possible disadvantages:
> - iframes may be blocked on the SP side.
> - It will require some javascript though as for SAML-SP initiated
> logout, the IDP needs to send the LogoutResponse back to the SP, which
> initiated logout. Which means that once HTML with iframes is rendered
> and all the iframe requests are finished, there would need to be some
> callback, which will automatically redirect browser back to SP with
> LogoutResponse.
> - POST binding for logout. Not sure if this would work with iframes, but
> I suppose there are some ways how to solve that (automatically submitted
> form through javascript etc).
+1,  Don't think POSt binding will be an issue.  If you look at the POSt 
binding it actually requires HTML forms with embedded Javascript to do a 
"POST redirect".

> - Anything else?
> WDYT? Do we want to add some support for iframes based logout to our
> SAML clients?

What's cool is that logout could be done in parallel, no?


More information about the keycloak-dev mailing list