[keycloak-dev] identity broker changes
Bill Burke
bburke at redhat.com
Fri Mar 20 19:07:02 EDT 2015
SPI has changed to support logout and multiple callback endpoints (i.e.
keycloak oidc chaining will require a logout callback). This SPI is
quite complex, so I don't think we want to expose this to users. I'm
not very happy with it, but I'm not sure how to improve it yet.
What works now:
* If logged in via a SAML broker, a keycloak initiated browser logout
will log out of the SAML broker too.
What do I still need to do:
* Make "UPdate profile" false by default.
* Improve saml admin console page.
* Implement OIDC broker keycloak initiated browser logout.
* Implement OIDC logout endpoint so that I can test OIDC brokering with
Keycloak as a parent.
* Implement SAML backchannel logout where the parent IDP sends a
backchannel logout request.
* Create a new "Keycloak OIDC" provider which extends OIDC and adds
keycloak extensions like logout.
* Review to make sure error handling is correct.
So, still a lot to do, but I'm at a milestone.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list