Re: [keycloak-dev] social/broker errors

On 25.3.2015 16:27, Bill Burke wrote: > So Salesforce IDP is the "parent" and Keycloak is the child? Yes > I think Salesforce IDP should be logged out as well, because think > of it this way > > 1. user logs out of keycloak app, but doesn't get logged out of > Salesforce > 2. user goes away form machine > 3. Attacker sits down at desk > 4. Attacker visits keycloak app > 5. Still logged in at Salesforce, so keycloak app has a successful > login due to SSO. I see the point. However if you consider scenario like: 1. I am logged in salesforce.com and doing some important transactions there 2. Now I clicked to different browser tab and want to quickly check something in some keycloak-secured-app. I logged-in to the app through Keycloak + Salesforce broker 3. I checked calendar, clicked "logout" in Zimbra and I want to continue back in Salesforce. But I am logged out from Salesforce... :-( The prompt makes sense to me. At least for the cases when user was logged in before. But not sure if there is a way to track this (In case that Keycloak itself is parent broker, we can check if auth-method was FORM (user just logged in) or SSO (user was already logged before)), but that would require propagate this info from parent broker to child broker too. Maybe easiest is to always display prompt?