On 03/05/17 15:23, Bill Burke wrote:
On 5/3/17 3:47 AM, Marek Posolda wrote:
> I went through the OIDC frontchannel logout specification draft [1] and
> realized that it relies a lot on the iframes instead of browser
> redirection. Basically OP would render HTML page with the hidden iframes
> containing the logout URL of clients like:
>
> <iframe src="frontchannel_logout_uri">
>
> I wonder if we should add some support for the iframes based approach
> for SAML too? It looks that many vendors including shibboleth (see [2])
> are using it as it seem to have lots of advantages over the redirection
> based. Like:
>
> - More reliable. With the redirection based approach used by SAML, the
> IDP needs to redirect browser to the client1, which then need to
> redirect back to IDP, which continues with redirection to client2 etc.
> Problem is, that if any client is broken, then whole flow will break and
> logout won't be finished properly.
>
> - Better performance. Logout requests would be sent concurrently to all
> the clients.
>
> - Better for cross-dc as there is no need for more writes to userSession
> cache. IDP would just render the html with iframes in single request and
> then remove userSession entirely.
>
> Possible disadvantages:
> - iframes may be blocked on the SP side.
>
> - It will require some javascript though as for SAML-SP initiated
> logout, the IDP needs to send the LogoutResponse back to the SP, which
> initiated logout. Which means that once HTML with iframes is rendered
> and all the iframe requests are finished, there would need to be some
> callback, which will automatically redirect browser back to SP with
> LogoutResponse.
>
> - POST binding for logout. Not sure if this would work with iframes, but
> I suppose there are some ways how to solve that (automatically submitted
> form through javascript etc).
+1, Don't think POSt binding will be an issue. If you look at the POSt
binding it actually requires HTML forms with embedded Javascript to do a
"POST redirect".
> - Anything else?
>
> WDYT? Do we want to add some support for iframes based logout to our
> SAML clients?
What's cool is that logout could be done in parallel, no?
Yes, exactly.
By the way, I think that we have a space for improvement here for
backchannel requests as well. Right now, they are sent sequentially in
AuthenticationManager.backchannelLogout . We can sent logout request to
all the authenticated clients in the userSession concurrently IMO.
Marek
Bill
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev