I don't get the OpenID technique. Would it not be simpler to have a periodic
XMLHttpRequest (or even better an async WebSocket) to retrieve the status of a session?
The whole concept of iframes seems very hacky to me.
I think what we have at the moment is good enough (at least for beta1), and we can look at
this later.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 9 May, 2014 3:05:26 AM
Subject: [keycloak-dev] openid connect iframe logout
I'm looking at:
http://openid.net/specs/openid-connect-session-1_0.html
I don't think using iframes for single log out is any better than what
we're currently doing and planning on doing for keycloak.js.
For the OpenID Iframe technique, if our global login cookies are
HttpOnly, then the OP Iframe will have to do a periodic "ping" request
to the server to test the cookie. This is really no different than the
current plan to expire login sessions and invalidate refresh token
requests based on on a login-session id. I say this because there is
still a time element involved where there is a window from when the user
logs out and either the periodic "ping" hasn't been executed yet (openid
connect iframe technique), or the access token hasn't expired yet.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev