[keycloak-dev] JavaScript adapter & caching of session status iframe

Iván Perdomo ivan at akvo.org
Tue Jun 6 09:28:34 EDT 2017 

Hi again,

I logged the problem as https://issues.jboss.org/browse/KEYCLOAK-5022

I propose to implement the easiest path: not to cache the iframe status
page.

Let me know if you're OK with this approach.

Thanks,

On 06/05/2017 09:58 AM, Iván Perdomo wrote:
> Hi all,
> 
> We have found an issue when using the JavaScript Adapter [1] and
> upgrading from Keycloak 2.5.1 Final to 3.1.0.Final [2]
> 
>> By default, the JavaScript adapter creates a hidden iframe that is
>> used to detect if a Single-Sign Out has occurred.
> 
> Using default settings, Keycloak will send a cache-control header to the
> browser and will cache the iframe status page for 30 days. [3]
> 
> If you happen to upgrade Keycloak within those 30 days, there is a
> out-of-sync interaction between the adapter and Keycloak. The browser
> won't even make the HTTP request before those 30 days, and the upgraded
> adapter code will attempt to use code from a page that is oudated.
> 
> A potential solution is that we use the Keycloak version as cache
> busting via query parameters [4], e.g. when injecting the iframe it will
> append the Keycloak version:
> 
> https://kc-host/realms/realm/protocol/openid-connect/login-status-iframe.html?kc_version=3.1.0.Final
> 
> Another 'easier' solution is to not cache the status iframe at all.
> This is easier because the JS Adapter is *not* version aware. To include
> the version as cache busting, we'll need to include it as part of the
> Keycloak object, that means touching this file on every release, even if
> the code itself has not changed.
> 
> Do you consider this a bug? Should i log it in JIRA? We're happy to
> contribute the change.
> 
> [1]
> http://www.keycloak.org/docs/3.1/securing_apps/topics/oidc/javascript-adapter.html
> [2] https://github.com/akvo/akvo-lumen/issues/801
> [3]
> https://github.com/keycloak/keycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java#L63
> [4] https://stackoverflow.com/questions/9692665/cache-busting-via-params
> 

-- 
Iván

More information about the keycloak-dev mailing list