[keycloak-dev] openid connect iframe logout

Stian Thorgersen stian at redhat.com
Fri May 9 09:18:41 EDT 2014 

Surely you still need to do regular requests to the identity provider to get the cookie updated though?

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 9 May, 2014 2:16:50 PM
> Subject: Re: [keycloak-dev] openid connect iframe logout
> 
> Ok, I think I know why the ipframe technique exists:
> 
> Specifically to avoid network traffic.  From spec: " it is desirable to
> be able to check the login status at the OP without causing network
> traffic".
> 
> This could only work if our cookies were viewable in Javascript. (not
> HttpOnly).  But just Google "steal cross domain cookies" and you'll see
> why this just isn't a great idea.
> 
> On 5/9/2014 6:52 AM, Stian Thorgersen wrote:
> > Added issues:
> > * https://issues.jboss.org/browse/KEYCLOAK-450
> > * https://issues.jboss.org/browse/KEYCLOAK-451
> >
> > I don't get the OpenID technique. Would it not be simpler to have a
> > periodic XMLHttpRequest (or even better an async WebSocket) to retrieve
> > the status of a session? The whole concept of iframes seems very hacky to
> > me.
> >
> > I think what we have at the moment is good enough (at least for beta1), and
> > we can look at this later.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Friday, 9 May, 2014 3:05:26 AM
> >> Subject: [keycloak-dev] openid connect iframe logout
> >>
> >> I'm looking at:
> >>
> >> http://openid.net/specs/openid-connect-session-1_0.html
> >>
> >> I don't think using iframes for single log out is any better than what
> >> we're currently doing and planning on doing for keycloak.js.
> >>
> >> For the OpenID Iframe technique, if our global login cookies are
> >> HttpOnly, then the OP Iframe will have to do a periodic "ping" request
> >> to the server to test the cookie.  This is really no different than the
> >> current plan to expire login sessions and invalidate refresh token
> >> requests based on on a login-session id.  I say this because there is
> >> still a time element involved where there is a window from when the user
> >> logs out and either the periodic "ping" hasn't been executed yet (openid
> >> connect iframe technique), or the access token hasn't expired yet.
> >>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list