[keycloak-dev] Session SPI for adapters
Bill Burke
bburke at redhat.com
Tue Oct 7 09:47:01 EDT 2014
On 10/7/2014 8:38 AM, Bill Burke wrote:
>>>>
>>>> SAML has out-of-band logout requests too. At least thats what I think
>>>> Pedro told me.
>>>>
>>>
>>> For Picketlink SAML SPs, you either do a browse redirect protocol to
>>> each SP for Single Log out, or you do an out of band logout request to
>>> the SP. PL SAML SP adapter currently has the same problem as us in a
>>> cluster. They keep an in-memory map between username and http session.
>>
>> Would it make sense to add redirect logout as well? Then you can set in the admin console which logout mechanism you want (none, redirect or out-of-band request?)
>>
>
> Yes. I'm going to do that. I need to add logout to the protocol SPI.
>
IMO, logouts via redirects are really ugly and you don't really need a
redirect logout for keycloak.js clients. With the iframe hack OpenID
Connect has (and we implemented), you can just check if the user is
logged out when a UI event happens.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list