So you mean that we can have option to use logout iframe even in
server-side applications? Same stuff like we have in keycloak.js?
I guess it should work, but not sure about security implications. For
example the scenario like:
- User authenticated to customer-portal which is using iframe
- User opened tab with product-portal
- User closed the tab with customer-portal
- User sent logout request to product-portal. Now since the
customer-portal wasn't opened in browser, it is not immediately
available about logout and it's httpSession will be still valid. Session
will be logged-out later once user opens the customer-portal. I guess
it's not the big issue, the javascript apps also work the same way. But
not sure...
Marek
On 11/02/16 20:43, Bill Burke wrote:
There's also the option of doing logout via iframes in the
browser. This
might be very useful for apps that need a browser logout.
On 2/11/2016 11:57 AM, Marek Posolda wrote:
> Few things, which we can possibly do:
>
> - Currently when application initiates logout through
> servletRequest.logout , it sends request to Keycloak logout endpoint.
> This endpoint then sends backchannel request to all logged clients with
> registered admin URL. I think we can improve here and not send request
> to the original application, which initiated logout.
>
> For example: When product-portal application initiates logout through
> servletRequest.logout, the adapter itself should be already able to do
> all logout actions on it's side (invalidate httpSession etc) and there
> is no need to send another request from keycloak to product-portal to
> logout same httpSession.
>
> - Backchannel logout requests send by Keycloak (ResourceAdminManager)
> could be send in parallel. Currently they are send sequentially, which
> is not very optimal.
>
> WDYT?
>
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev