[keycloak-dev] Frontchannel logout based on iframes?

Marek Posolda mposolda at redhat.com
Wed May 3 15:10:41 EDT 2017

On 03/05/17 15:23, Bill Burke wrote:
> On 5/3/17 3:47 AM, Marek Posolda wrote:
>> I went through the OIDC frontchannel logout specification draft [1] and
>> realized that it relies a lot on the iframes instead of browser
>> redirection. Basically OP would render HTML page with the hidden iframes
>> containing the logout URL of clients like:
>> <iframe src="frontchannel_logout_uri">
>> I wonder if we should add some support for the iframes based approach
>> for SAML too? It looks that many vendors including shibboleth (see [2])
>> are using it as it seem to have lots of advantages over the redirection
>> based. Like:
>> - More reliable. With the redirection based approach used by SAML, the
>> IDP needs to redirect browser to the client1, which then need to
>> redirect back to IDP, which continues with redirection to client2 etc.
>> Problem is, that if any client is broken, then whole flow will break and
>> logout won't be finished properly.
>> - Better performance. Logout requests would be sent concurrently to all
>> the clients.
>> - Better for cross-dc as there is no need for more writes to userSession
>> cache. IDP would just render the html with iframes in single request and
>> then remove userSession entirely.
>> Possible disadvantages:
>> - iframes may be blocked on the SP side.
>> - It will require some javascript though as for SAML-SP initiated
>> logout, the IDP needs to send the LogoutResponse back to the SP, which
>> initiated logout. Which means that once HTML with iframes is rendered
>> and all the iframe requests are finished, there would need to be some
>> callback, which will automatically redirect browser back to SP with
>> LogoutResponse.
>> - POST binding for logout. Not sure if this would work with iframes, but
>> I suppose there are some ways how to solve that (automatically submitted
>> form through javascript etc).
> +1,  Don't think POSt binding will be an issue.  If you look at the POSt
> binding it actually requires HTML forms with embedded Javascript to do a
> "POST redirect".
>> - Anything else?
>> WDYT? Do we want to add some support for iframes based logout to our
>> SAML clients?
> What's cool is that logout could be done in parallel, no?
Yes, exactly.

By the way, I think that we have a space for improvement here for 
backchannel requests as well. Right now, they are sent sequentially in 
AuthenticationManager.backchannelLogout . We can sent logout request to 
all the authenticated clients in the userSession concurrently IMO.

> Bill
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list