[keycloak-dev] JavaScript adapter & caching of session status iframe
Stian Thorgersen
sthorger at redhat.com
Wed Jun 7 05:32:37 EDT 2017
There's a similar issue with keycloak.js (
https://issues.jboss.org/browse/KEYCLOAK-4556).
I'm thinking about some hybrid solution to what you are suggesting. Have
one endpoint that doesn't cache and another that caches, but includes the
version in the URL. Then it's up to folks to chose which one to use.
I'll prepare a PR for both issues shortly.
On 6 June 2017 at 15:28, Iván Perdomo <ivan at akvo.org> wrote:
> Hi again,
>
> I logged the problem as https://issues.jboss.org/browse/KEYCLOAK-5022
>
> I propose to implement the easiest path: not to cache the iframe status
> page.
>
> Let me know if you're OK with this approach.
>
> Thanks,
>
> On 06/05/2017 09:58 AM, Iván Perdomo wrote:
> > Hi all,
> >
> > We have found an issue when using the JavaScript Adapter [1] and
> > upgrading from Keycloak 2.5.1 Final to 3.1.0.Final [2]
> >
> >> By default, the JavaScript adapter creates a hidden iframe that is
> >> used to detect if a Single-Sign Out has occurred.
> >
> > Using default settings, Keycloak will send a cache-control header to the
> > browser and will cache the iframe status page for 30 days. [3]
> >
> > If you happen to upgrade Keycloak within those 30 days, there is a
> > out-of-sync interaction between the adapter and Keycloak. The browser
> > won't even make the HTTP request before those 30 days, and the upgraded
> > adapter code will attempt to use code from a page that is oudated.
> >
> > A potential solution is that we use the Keycloak version as cache
> > busting via query parameters [4], e.g. when injecting the iframe it will
> > append the Keycloak version:
> >
> > https://kc-host/realms/realm/protocol/openid-connect/login-
> status-iframe.html?kc_version=3.1.0.Final
> >
> > Another 'easier' solution is to not cache the status iframe at all.
> > This is easier because the JS Adapter is *not* version aware. To include
> > the version as cache busting, we'll need to include it as part of the
> > Keycloak object, that means touching this file on every release, even if
> > the code itself has not changed.
> >
> > Do you consider this a bug? Should i log it in JIRA? We're happy to
> > contribute the change.
> >
> > [1]
> > http://www.keycloak.org/docs/3.1/securing_apps/topics/oidc/
> javascript-adapter.html
> > [2] https://github.com/akvo/akvo-lumen/issues/801
> > [3]
> > https://github.com/keycloak/keycloak/blob/3.1.0.Final/
> services/src/main/java/org/keycloak/protocol/oidc/endpoints/
> LoginStatusIframeEndpoint.java#L63
> > [4] https://stackoverflow.com/questions/9692665/cache-busting-via-params
> >
>
> --
> Iván
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list