----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 26 March, 2015 12:23:15 AM
Subject: Re: [keycloak-dev] identity broker changes
Finished backchannel logout for oidc and saml. Created a "Keycloak
OIDC" type that handles our logout protocol. had to make changes to
UserSessionProvider and Model to get this to work (and work
efficiently). I think I fixed facebook and github login, but I haven't
tested it yet.
Nice, so we're now implementing the complete openid connect session management spec?
Still need to:
* Make sure appliance works (all the module dependency stuff)
* Write automated tests
* Auto-import certificate for OIDC validation and .well-known address
I assume by auto-import you mean that someone can add an IdP by just supplying the
.well-known address?
* Review to make sure error handling is correct. Tests too for
this.
Gonna take me awhile to write all the tests :(
On 3/20/2015 7:07 PM, Bill Burke wrote:
> SPI has changed to support logout and multiple callback endpoints (i.e.
> keycloak oidc chaining will require a logout callback). This SPI is
> quite complex, so I don't think we want to expose this to users. I'm
> not very happy with it, but I'm not sure how to improve it yet.
>
> What works now:
> * If logged in via a SAML broker, a keycloak initiated browser logout
> will log out of the SAML broker too.
>
> What do I still need to do:
> * Make "UPdate profile" false by default.
> * Improve saml admin console page.
> * Implement OIDC broker keycloak initiated browser logout.
> * Implement OIDC logout endpoint so that I can test OIDC brokering with
> Keycloak as a parent.
> * Implement SAML backchannel logout where the parent IDP sends a
> backchannel logout request.
> * Create a new "Keycloak OIDC" provider which extends OIDC and adds
> keycloak extensions like logout.
> * Review to make sure error handling is correct.
>
> So, still a lot to do, but I'm at a milestone.
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev