Surely you still need to do regular requests to the identity provider to get the cookie
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Sent: Friday, 9 May, 2014 2:16:50 PM
Subject: Re: [keycloak-dev] openid connect iframe logout
Ok, I think I know why the ipframe technique exists:
Specifically to avoid network traffic. From spec: " it is desirable to
be able to check the login status at the OP without causing network
HttpOnly). But just Google "steal cross domain cookies" and you'll see
why this just isn't a great idea.
On 5/9/2014 6:52 AM, Stian Thorgersen wrote:
> Added issues:
> * https://issues.jboss.org/browse/KEYCLOAK-450
> * https://issues.jboss.org/browse/KEYCLOAK-451
> I don't get the OpenID technique. Would it not be simpler to have a
> periodic XMLHttpRequest (or even better an async WebSocket) to retrieve
> the status of a session? The whole concept of iframes seems very hacky to
> I think what we have at the moment is good enough (at least for beta1), and
> we can look at this later.
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 9 May, 2014 3:05:26 AM
>> Subject: [keycloak-dev] openid connect iframe logout
>> I'm looking at:
>> I don't think using iframes for single log out is any better than what
>> we're currently doing and planning on doing for keycloak.js.
>> For the OpenID Iframe technique, if our global login cookies are
>> HttpOnly, then the OP Iframe will have to do a periodic "ping"
>> to the server to test the cookie. This is really no different than the
>> current plan to expire login sessions and invalidate refresh token
>> requests based on on a login-session id. I say this because there is
>> still a time element involved where there is a window from when the user
>> logs out and either the periodic "ping" hasn't been executed yet
>> connect iframe technique), or the access token hasn't expired yet.
>> Bill Burke
>> JBoss, a division of Red Hat
>> keycloak-dev mailing list
JBoss, a division of Red Hat