11:43 a.m.
If a user logs in through Facebook or links to Facebook in the account
service, should we logout the Facebook when the user logs out? My
thinking is that we should otherwise that machine will keep facebook
logged in.
Bill
11:53 a.m.
Actually its just account linking that is effected. If you log in
through Facebook, you will log out of facebook. I assume we want a
logout to happen to linked accounts too.
On 3/25/17 12:43 PM, Bill Burke wrote:
If a user logs in through Facebook or links to Facebook in the
account
service, should we logout the Facebook when the user logs out? My
thinking is that we should otherwise that machine will keep facebook
logged in.
Bill
2:11 a.m.
IMO the logout of child broker should be propagated to parent broker
logout just in case, that parent broker was actively authenticated
because of child broker.
In other words, when I click to "Sign In with Facebook" on Keycloak
login screen, but I am already authenticated to Facebook (hence no
Facebook login screen is displayed), then logout from KC shouldn't
logout me from Facebook IMO.
However I don't know if it's possible to detect this. In case that
Keycloak is used as parent broker, we have "auth_time" as a claim in the
token, so we can decide if parent Keycloak broker was actively
authenticated because of our request. Not sure if Facebook, Google,
Twitter and others OIDC providers have something like this. Also not
even sure if Facebook (and other social providers) allow you to logout
their session from the "child" app...
Marek
On 25/03/17 17:53, Bill Burke wrote:
Actually its just account linking that is effected. If you log in
through Facebook, you will log out of facebook. I assume we want a
logout to happen to linked accounts too.
On 3/25/17 12:43 PM, Bill Burke wrote:
> If a user logs in through Facebook or links to Facebook in the account
> service, should we logout the Facebook when the user logs out? My
> thinking is that we should otherwise that machine will keep facebook
> logged in.
>
> Bill
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:27 a.m.
+1 to Marek, if you logged in in keycloak through identity provider like
fb/google/github/whatever user'd be greatly annoyed by logging him out from
fb (and all applications which used that login that don't go through
keycloak) just because user logged out of some keycloak-integrated
application.
пн, 27 мар. 2017 г. в 10:13, Marek Posolda <mposolda(a)redhat.com>:
IMO the logout of child broker should be propagated to parent broker
logout just in case, that parent broker was actively authenticated
because of child broker.
In other words, when I click to "Sign In with Facebook" on Keycloak
login screen, but I am already authenticated to Facebook (hence no
Facebook login screen is displayed), then logout from KC shouldn't
logout me from Facebook IMO.
However I don't know if it's possible to detect this. In case that
Keycloak is used as parent broker, we have "auth_time" as a claim in the
token, so we can decide if parent Keycloak broker was actively
authenticated because of our request. Not sure if Facebook, Google,
Twitter and others OIDC providers have something like this. Also not
even sure if Facebook (and other social providers) allow you to logout
their session from the "child" app...
Marek
On 25/03/17 17:53, Bill Burke wrote:
> Actually its just account linking that is effected. If you log in
> through Facebook, you will log out of facebook. I assume we want a
> logout to happen to linked accounts too.
>
>
> On 3/25/17 12:43 PM, Bill Burke wrote:
>> If a user logs in through Facebook or links to Facebook in the account
>> service, should we logout the Facebook when the user logs out? My
>> thinking is that we should otherwise that machine will keep facebook
>> logged in.
>>
>> Bill
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Best regards,
Konstantin Gribov
9:24 a.m.
Like marek said, you can't really tell if facebook was already logged in
or not. IMO, it is better to annoy the user than the alternative of
somebody taking over somebody's Facebook account because they stepped
away from the computer.
On 3/27/17 7:27 AM, Konstantin Gribov wrote:
+1 to Marek, if you logged in in keycloak through identity provider
like fb/google/github/whatever user'd be greatly annoyed by logging
him out from fb (and all applications which used that login that don't
go through keycloak) just because user logged out of some
keycloak-integrated application.
пн, 27 мар. 2017 г. в 10:13, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>>:
IMO the logout of child broker should be propagated to parent broker
logout just in case, that parent broker was actively authenticated
because of child broker.
In other words, when I click to "Sign In with Facebook" on Keycloak
login screen, but I am already authenticated to Facebook (hence no
Facebook login screen is displayed), then logout from KC shouldn't
logout me from Facebook IMO.
However I don't know if it's possible to detect this. In case that
Keycloak is used as parent broker, we have "auth_time" as a claim
in the
token, so we can decide if parent Keycloak broker was actively
authenticated because of our request. Not sure if Facebook, Google,
Twitter and others OIDC providers have something like this. Also not
even sure if Facebook (and other social providers) allow you to logout
their session from the "child" app...
Marek
On 25/03/17 17:53, Bill Burke wrote:
> Actually its just account linking that is effected. If you log in
> through Facebook, you will log out of facebook. I assume we want a
> logout to happen to linked accounts too.
>
>
> On 3/25/17 12:43 PM, Bill Burke wrote:
>> If a user logs in through Facebook or links to Facebook in the
account
>> service, should we logout the Facebook when the user logs out? My
>> thinking is that we should otherwise that machine will keep
facebook
>> logged in.
>>
>> Bill
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Best regards,
Konstantin Gribov
10:53 a.m.
Both options are quite bad imo. But likely better to prefer security
over usability...
Btv. It looks that currently we never propagate Keycloak logout to
Facebook. And probably it's same for other social networks.
It looks that FB has some possibility how to propagate logout and it's
even able to divide between the cases when user was already logged or
not. There is this for Javascript API [1] and some possibilities here,
which may work for server-side apps too [2] . But it looks that you need
Facebook accessToken to logout.
[1] https://developers.facebook.com/docs/reference/javascript/FB.logout
[2] http://stackoverflow.com/questions/2764436/facebook-oauth-logout
Marek
On 27/03/17 16:24, Bill Burke wrote:
Like marek said, you can't really tell if facebook was already logged
in or not. IMO, it is better to annoy the user than the alternative
of somebody taking over somebody's Facebook account because they
stepped away from the computer.
On 3/27/17 7:27 AM, Konstantin Gribov wrote:
> +1 to Marek, if you logged in in keycloak through identity provider
> like fb/google/github/whatever user'd be greatly annoyed by logging
> him out from fb (and all applications which used that login that
> don't go through keycloak) just because user logged out of some
> keycloak-integrated application.
>
> пн, 27 мар. 2017 г. в 10:13, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>>:
>
> IMO the logout of child broker should be propagated to parent broker
> logout just in case, that parent broker was actively authenticated
> because of child broker.
>
> In other words, when I click to "Sign In with Facebook" on Keycloak
> login screen, but I am already authenticated to Facebook (hence no
> Facebook login screen is displayed), then logout from KC shouldn't
> logout me from Facebook IMO.
>
> However I don't know if it's possible to detect this. In case that
> Keycloak is used as parent broker, we have "auth_time" as a claim
> in the
> token, so we can decide if parent Keycloak broker was actively
> authenticated because of our request. Not sure if Facebook, Google,
> Twitter and others OIDC providers have something like this. Also not
> even sure if Facebook (and other social providers) allow you to
> logout
> their session from the "child" app...
>
> Marek
>
> On 25/03/17 17:53, Bill Burke wrote:
> > Actually its just account linking that is effected. If you log in
> > through Facebook, you will log out of facebook. I assume we want a
> > logout to happen to linked accounts too.
> >
> >
> > On 3/25/17 12:43 PM, Bill Burke wrote:
> >> If a user logs in through Facebook or links to Facebook in the
> account
> >> service, should we logout the Facebook when the user logs out? My
> >> thinking is that we should otherwise that machine will keep
> facebook
> >> logged in.
> >>
> >> Bill
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> Best regards,
> Konstantin Gribov
>
2:11 a.m.
As user scenario, user logged twice, first time as keycloak user and the second time as FB
user to provide auth to keycloak. And i`m, as user, remember, that i`m logged into FB. In
case when sync keycloak logout with social I will be surprised, If opening FB see login
page again. Also, I can working with keycloak secured app and FB at the same time ( ex.
serfing news on FB ) and It will be bad, if FB-site logout when I logout from keycloak.
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org]
On Behalf Of Marek Posolda
Sent: Monday, March 27, 2017 10:53 PM
To: Bill Burke; Konstantin Gribov; keycloak-dev
Subject: Re: [keycloak-dev] logout social providers?
Both options are quite bad imo. But likely better to prefer security over usability...
Btv. It looks that currently we never propagate Keycloak logout to Facebook. And probably
it's same for other social networks.
It looks that FB has some possibility how to propagate logout and it's even able to
divide between the cases when user was already logged or not. There is this for Javascript
API [1] and some possibilities here, which may work for server-side apps too [2] . But it
looks that you need Facebook accessToken to logout.
[1] https://developers.facebook.com/docs/reference/javascript/FB.logout
[2] http://stackoverflow.com/questions/2764436/facebook-oauth-logout
Marek
On 27/03/17 16:24, Bill Burke wrote:
Like marek said, you can't really tell if facebook was already logged
in or not. IMO, it is better to annoy the user than the alternative
of somebody taking over somebody's Facebook account because they
stepped away from the computer.
On 3/27/17 7:27 AM, Konstantin Gribov wrote:
> +1 to Marek, if you logged in in keycloak through identity provider
> like fb/google/github/whatever user'd be greatly annoyed by logging
> him out from fb (and all applications which used that login that
> don't go through keycloak) just because user logged out of some
> keycloak-integrated application.
>
> пн, 27 мар. 2017 г. в 10:13, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>>:
>
> IMO the logout of child broker should be propagated to parent broker
> logout just in case, that parent broker was actively authenticated
> because of child broker.
>
> In other words, when I click to "Sign In with Facebook" on Keycloak
> login screen, but I am already authenticated to Facebook (hence no
> Facebook login screen is displayed), then logout from KC shouldn't
> logout me from Facebook IMO.
>
> However I don't know if it's possible to detect this. In case that
> Keycloak is used as parent broker, we have "auth_time" as a claim
> in the
> token, so we can decide if parent Keycloak broker was actively
> authenticated because of our request. Not sure if Facebook, Google,
> Twitter and others OIDC providers have something like this. Also not
> even sure if Facebook (and other social providers) allow you to
> logout
> their session from the "child" app...
>
> Marek
>
> On 25/03/17 17:53, Bill Burke wrote:
> > Actually its just account linking that is effected. If you log in
> > through Facebook, you will log out of facebook. I assume we want a
> > logout to happen to linked accounts too.
> >
> >
> > On 3/25/17 12:43 PM, Bill Burke wrote:
> >> If a user logs in through Facebook or links to Facebook in the
> account
> >> service, should we logout the Facebook when the user logs out? My
> >> thinking is that we should otherwise that machine will keep
> facebook
> >> logged in.
> >>
> >> Bill
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> Best regards,
> Konstantin Gribov
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2582
days inactive
2586
days old
6 comments
4 participants
participants (4)
-
Bill Burke -
Konstantin Gribov -
Marek Posolda -
Nekrasov Aleksandr