[keycloak-dev] Session SPI for adapters
Marek Posolda
mposolda at redhat.com
Mon Oct 6 09:58:00 EDT 2014
On 6.10.2014 15:26, Bill Burke wrote:
>
>
> A few more things:
>
> Stian made a good point that any extensions we do have to be
> compatible with non keycloak pure oidc adapters. The thing is though,
> OIDC doesn't have a logout request like SAML does. I'll ping pedro to
> see if session information can be extracted from a logout request.
>
AFAIR SAML single-sign out is based on chain of browser redirections to
all apps where you are logged. No "out-of-bound" requests . At least
that's how picketlink is doing afaik (not 100% sure and not sure about
SAML specs). So in this case logout request is browser-based and have
access to JSESSIONID cookie. Hence there is no need to maintain
sessionId in keycloak or any state on adapters as well. I am not 100%
sure (will try to doublecheck..)
Marek
More information about the keycloak-dev
mailing list