[keycloak-dev] JavaScript adapter & caching of session status iframe
Iván Perdomo
ivan at akvo.org
Mon Jun 5 03:58:28 EDT 2017
Hi all,
We have found an issue when using the JavaScript Adapter [1] and
upgrading from Keycloak 2.5.1 Final to 3.1.0.Final [2]
> By default, the JavaScript adapter creates a hidden iframe that is
> used to detect if a Single-Sign Out has occurred.
Using default settings, Keycloak will send a cache-control header to the
browser and will cache the iframe status page for 30 days. [3]
If you happen to upgrade Keycloak within those 30 days, there is a
out-of-sync interaction between the adapter and Keycloak. The browser
won't even make the HTTP request before those 30 days, and the upgraded
adapter code will attempt to use code from a page that is oudated.
A potential solution is that we use the Keycloak version as cache
busting via query parameters [4], e.g. when injecting the iframe it will
append the Keycloak version:
https://kc-host/realms/realm/protocol/openid-connect/login-status-iframe.html?kc_version=3.1.0.Final
Another 'easier' solution is to not cache the status iframe at all.
This is easier because the JS Adapter is *not* version aware. To include
the version as cache busting, we'll need to include it as part of the
Keycloak object, that means touching this file on every release, even if
the code itself has not changed.
Do you consider this a bug? Should i log it in JIRA? We're happy to
contribute the change.
[1]
http://www.keycloak.org/docs/3.1/securing_apps/topics/oidc/javascript-adapter.html
[2] https://github.com/akvo/akvo-lumen/issues/801
[3]
https://github.com/keycloak/keycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java#L63
[4] https://stackoverflow.com/questions/9692665/cache-busting-via-params
--
Iván
More information about the keycloak-dev
mailing list