Hello, A thing that bothers me on Keycloak is the lack of implementation of Front-Channel Logout for OpenID Clients. Is there any technical reason for this or is just awaiting a community contribution? I mean, the spec is supported for SAML clients, and it also works for external OIDC providers. Best regards, Diego Liberalquino _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

Link to the discussion was broken: [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.html Am Di., 12. März 2019 um 12:30 Uhr schrieb Marek Posolda < mposolda(a)redhat.com&gt;: > Hi, > > there is this JIRA opened already [1] . We have it planned, so we want > to look at it, but lack of other things caused that this wasn't > prioritized in last years... Do you want to contribute the feature? > > BTV. There is this old discussion when we discuss the "iframes" to be > used for frontchannel logout rather than redirect based approach [2]. > You can see some more context by going through this old thread. I think > that we already support iframe based frontchannel logout for SAML > specification, or at least it is already available in Hynek's branch as > mentioned in the comment of this JIRA [3]. So hopefully OIDC can re-use > some parts of it. > > Let us know if you're interested in contributing this. > > [1] https://issues.jboss.org/browse/KEYCLOAK-2939 > [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.htm > [3] https://issues.jboss.org/browse/KEYCLOAK-5449 > > Marek > > On 10/03/2019 04:03, Diego Liberalquino wrote: > > Hello, > > > > A thing that bothers me on Keycloak is the lack of implementation of > > Front-Channel Logout for OpenID Clients. Is there any technical reason > for > > this or is just awaiting a community contribution? I mean, the spec is > > supported for SAML clients, and it also works for external OIDC > providers. > > > > Best regards, > > Diego Liberalquino > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

I have my worries about this spec. It was proposed back in Jan 2017 and is still in draft state. It seems to be abandoned. Before adding support for this spec we should look for alternatives and check what the status is of the spec and why nothing is happening with it. On Tue, 12 Mar 2019 at 13:16, Diego Liberalquino <diegoliber(a)gmail.com&gt; wrote: > Hi, > > I want to make the contribution, yes. I'm very interested that this > feature > gets implemented on Keycloak. It'll take some time though, I'm still > familiarizing myself with Keycloak's test suite, so I want to make sure my > contribution doesn't break anything. > > I've read this discussion about iframe based logout on SAML and agree on > 100% percent that the iframe-based approach is the best solution for this > problem and I was already getting inspiration from the SAML > implementation. > OIDC FrontChannel Spec also expects the use of iframes [1]. > > Thanks for the follow up! > > [1] https://openid.net/specs/openid-connect-frontchannel-1_0.html > > Diego > > On Tue, Mar 12, 2019 at 8:36 AM Thomas Darimont < > thomas.darimont(a)googlemail.com&gt; wrote: > > > Link to the discussion was broken: > > [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.html > > > > Am Di., 12. März 2019 um 12:30 Uhr schrieb Marek Posolda < > > mposolda(a)redhat.com&gt;: > > > >> Hi, > >> > >> there is this JIRA opened already [1] . We have it planned, so we want > >> to look at it, but lack of other things caused that this wasn't > >> prioritized in last years... Do you want to contribute the feature? > >> > >> BTV. There is this old discussion when we discuss the "iframes" to be > >> used for frontchannel logout rather than redirect based approach [2]. > >> You can see some more context by going through this old thread. I think > >> that we already support iframe based frontchannel logout for SAML > >> specification, or at least it is already available in Hynek's branch as > >> mentioned in the comment of this JIRA [3]. So hopefully OIDC can re-use > >> some parts of it. > >> > >> Let us know if you're interested in contributing this. > >> > >> [1] https://issues.jboss.org/browse/KEYCLOAK-2939 > >> [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.htm > >> [3] https://issues.jboss.org/browse/KEYCLOAK-5449 > >> > >> Marek > >> > >> On 10/03/2019 04:03, Diego Liberalquino wrote: > >> > Hello, > >> > > >> > A thing that bothers me on Keycloak is the lack of implementation of > >> > Front-Channel Logout for OpenID Clients. Is there any technical > reason > >> for > >> > this or is just awaiting a community contribution? I mean, the spec > is > >> > supported for SAML clients, and it also works for external OIDC > >> providers. > >> > > >> > Best regards, > >> > Diego Liberalquino > >> > _______________________________________________ > >> > keycloak-dev mailing list > >> > keycloak-dev(a)lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev > >> > >> > >> _______________________________________________ > >> keycloak-dev mailing list > >> keycloak-dev(a)lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >> > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev