[keycloak-dev] logout behavior changed
Bill Burke
bburke at redhat.com
Sun Aug 10 10:47:24 EDT 2014
I changed how logout works. It bothered me that there was no
authentication and that anybody could just push any guessed session_id
to /logout. So, it is now split up into to forms of Logout:
* GET /realms/{realm}/tokens/logout?redirect_uri={}
I removed the session_state parameter. This is a browser-based logout
and requires the user to be logged in. I still need to verify that the
redirect_uri is a valid URI.
* POST /realms/{realm}/tokens/logout
Same form parameters and authentication required as a refresh token
request. A valid refresh token is required to be able to logout the
session.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list