[keycloak-dev] Session SPI for adapters

Stian Thorgersen stian at redhat.com
Tue Oct 7 09:55:10 EDT 2014



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 7 October, 2014 3:47:01 PM
> Subject: Re: [keycloak-dev] Session SPI for adapters
> 
> 
> 
> On 10/7/2014 8:38 AM, Bill Burke wrote:
> >>>>
> >>>> SAML has out-of-band logout requests too.  At least thats what I think
> >>>> Pedro told me.
> >>>>
> >>>
> >>> For Picketlink SAML SPs, you either do a browse redirect protocol to
> >>> each SP for Single Log out, or you do an out of band logout request to
> >>> the SP.  PL SAML SP adapter currently has the same problem as us in a
> >>> cluster.  They keep an in-memory map between username and http session.
> >>
> >> Would it make sense to add redirect logout as well? Then you can set in
> >> the admin console which logout mechanism you want (none, redirect or
> >> out-of-band request?)
> >>
> >
> > Yes.  I'm going to do that.  I need to add logout to the protocol SPI.
> >
> 
> IMO, logouts via redirects are really ugly and you don't really need a
> redirect logout for keycloak.js clients.  With the iframe hack OpenID
> Connect has (and we implemented), you can just check if the user is
> logged out when a UI event happens.

I agree - how about we add the option to save the refresh token only. Then you have the two scenarios:

a) app is open (loaded in a browser tab) - iframe detects logout straight away
b) app is closed - if user opens app, refresh token is retrieved from session store, app will try to get access token, but fail as session is closed

> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list