[keycloak-dev] Session SPI for adapters

Marek Posolda mposolda at redhat.com
Mon Oct 6 09:58:00 EDT 2014


On 6.10.2014 15:26, Bill Burke wrote:
>
>
> A few more things:
>
> Stian made a good point that any extensions we do have to be 
> compatible with non keycloak pure oidc adapters.  The thing is though, 
> OIDC doesn't have a logout request like SAML does.  I'll ping pedro to 
> see if session information can be extracted from a logout request.
>
AFAIR SAML single-sign out is based on chain of browser redirections to 
all apps where you are logged. No "out-of-bound" requests . At least 
that's how picketlink is doing afaik (not 100% sure and not sure about 
SAML specs). So in this case logout request is browser-based and have 
access to JSESSIONID cookie. Hence there is no need to maintain 
sessionId in keycloak or any state on adapters as well. I am not 100% 
sure (will try to doublecheck..)

Marek


More information about the keycloak-dev mailing list