Re: [keycloak-dev] Session SPI for adapters
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 7 October, 2014 3:47:01 PM
Subject: Re: [keycloak-dev] Session SPI for adapters
On 10/7/2014 8:38 AM, Bill Burke wrote:
>>>>
>>>> SAML has out-of-band logout requests too. At least thats what I think
>>>> Pedro told me.
>>>>
>>>
>>> For Picketlink SAML SPs, you either do a browse redirect protocol to
>>> each SP for Single Log out, or you do an out of band logout request to
>>> the SP. PL SAML SP adapter currently has the same problem as us in a
>>> cluster. They keep an in-memory map between username and http session.
>>
>> Would it make sense to add redirect logout as well? Then you can set in
>> the admin console which logout mechanism you want (none, redirect or
>> out-of-band request?)
>>
>
> Yes. I'm going to do that. I need to add logout to the protocol SPI.
>
IMO, logouts via redirects are really ugly and you don't really need a
redirect logout for keycloak.js clients. With the iframe hack OpenID
Connect has (and we implemented), you can just check if the user is
logged out when a UI event happens.
I agree - how about we add the option to save the refresh token only. Then you have the
two scenarios:
a) app is open (loaded in a browser tab) - iframe detects logout straight away
b) app is closed - if user opens app, refresh token is retrieved from session store, app
will try to get access token, but fail as session is closed
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev