[keycloak-dev] openid connect iframe logout

Stian Thorgersen stian at redhat.com
Fri May 9 06:52:28 EDT 2014


Added issues:
* https://issues.jboss.org/browse/KEYCLOAK-450
* https://issues.jboss.org/browse/KEYCLOAK-451

I don't get the OpenID technique. Would it not be simpler to have a periodic XMLHttpRequest (or even better an async WebSocket) to retrieve the status of a session? The whole concept of iframes seems very hacky to me.

I think what we have at the moment is good enough (at least for beta1), and we can look at this later.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 9 May, 2014 3:05:26 AM
> Subject: [keycloak-dev] openid connect iframe logout
> 
> I'm looking at:
> 
> http://openid.net/specs/openid-connect-session-1_0.html
> 
> I don't think using iframes for single log out is any better than what
> we're currently doing and planning on doing for keycloak.js.
> 
> For the OpenID Iframe technique, if our global login cookies are
> HttpOnly, then the OP Iframe will have to do a periodic "ping" request
> to the server to test the cookie.  This is really no different than the
> current plan to expire login sessions and invalidate refresh token
> requests based on on a login-session id.  I say this because there is
> still a time element involved where there is a window from when the user
> logs out and either the periodic "ping" hasn't been executed yet (openid
> connect iframe technique), or the access token hasn't expired yet.
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list