[keycloak-dev] identity broker changes
Bill Burke
bburke at redhat.com
Wed Mar 25 19:23:15 EDT 2015
Finished backchannel logout for oidc and saml. Created a "Keycloak
OIDC" type that handles our logout protocol. had to make changes to
UserSessionProvider and Model to get this to work (and work
efficiently). I think I fixed facebook and github login, but I haven't
tested it yet.
Still need to:
* Make sure appliance works (all the module dependency stuff)
* Write automated tests
* Auto-import certificate for OIDC validation and .well-known address
* Review to make sure error handling is correct. Tests too for this.
Gonna take me awhile to write all the tests :(
On 3/20/2015 7:07 PM, Bill Burke wrote:
> SPI has changed to support logout and multiple callback endpoints (i.e.
> keycloak oidc chaining will require a logout callback). This SPI is
> quite complex, so I don't think we want to expose this to users. I'm
> not very happy with it, but I'm not sure how to improve it yet.
>
> What works now:
> * If logged in via a SAML broker, a keycloak initiated browser logout
> will log out of the SAML broker too.
>
> What do I still need to do:
> * Make "UPdate profile" false by default.
> * Improve saml admin console page.
> * Implement OIDC broker keycloak initiated browser logout.
> * Implement OIDC logout endpoint so that I can test OIDC brokering with
> Keycloak as a parent.
> * Implement SAML backchannel logout where the parent IDP sends a
> backchannel logout request.
> * Create a new "Keycloak OIDC" provider which extends OIDC and adds
> keycloak extensions like logout.
> * Review to make sure error handling is correct.
>
> So, still a lot to do, but I'm at a milestone.
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list