[keycloak-dev] Session SPI for adapters

[Bill Burke]

On 10/7/2014 2:13 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 6 October, 2014 8:38:01 PM
>> Subject: Re: [keycloak-dev] Session SPI for adapters
>>
>>
>>
>> On 10/6/2014 10:28 AM, Bill Burke wrote:
>>>
>>>
>>> On 10/6/2014 9:58 AM, Marek Posolda wrote:
>>>> On 6.10.2014 15:26, Bill Burke wrote:
>>>>>
>>>>>
>>>>> A few more things:
>>>>>
>>>>> Stian made a good point that any extensions we do have to be
>>>>> compatible with non keycloak pure oidc adapters.  The thing is though,
>>>>> OIDC doesn't have a logout request like SAML does.  I'll ping pedro to
>>>>> see if session information can be extracted from a logout request.
>>>>>
>>>> AFAIR SAML single-sign out is based on chain of browser redirections to
>>>> all apps where you are logged. No "out-of-bound" requests . At least
>>>> that's how picketlink is doing afaik (not 100% sure and not sure about
>>>> SAML specs). So in this case logout request is browser-based and have
>>>> access to JSESSIONID cookie. Hence there is no need to maintain
>>>> sessionId in keycloak or any state on adapters as well. I am not 100%
>>>> sure (will try to doublecheck..)
>>>>
>>>
>>> SAML has out-of-band logout requests too.  At least thats what I think
>>> Pedro told me.
>>>
>>
>> For Picketlink SAML SPs, you either do a browse redirect protocol to
>> each SP for Single Log out, or you do an out of band logout request to
>> the SP.  PL SAML SP adapter currently has the same problem as us in a
>> cluster.  They keep an in-memory map between username and http session.
>
> Would it make sense to add redirect logout as well? Then you can set in the admin console which logout mechanism you want (none, redirect or out-of-band request?)
>

Yes.  I'm going to do that.  I need to add logout to the protocol SPI.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com