[keycloak-dev] logout social providers?

Marek Posolda mposolda at redhat.com
Mon Mar 27 03:11:42 EDT 2017

IMO the logout of child broker should be propagated to parent broker 
logout just in case, that parent broker was actively authenticated 
because of child broker.

In other words, when I click to "Sign In with Facebook" on Keycloak 
login screen, but I am already authenticated to Facebook (hence no 
Facebook login screen is displayed), then logout from KC shouldn't 
logout me from Facebook IMO.

However I don't know if it's possible to detect this. In case that 
Keycloak is used as parent broker, we have "auth_time" as a claim in the 
token, so we can decide if parent Keycloak broker was actively 
authenticated because of our request. Not sure if Facebook, Google, 
Twitter and others OIDC providers have something like this. Also not 
even sure if Facebook (and other social providers) allow you to logout 
their session from the "child" app...


On 25/03/17 17:53, Bill Burke wrote:
> Actually its just account linking that is effected.  If you log in
> through Facebook, you will log out of facebook.  I assume we want a
> logout to happen to linked accounts too.
> On 3/25/17 12:43 PM, Bill Burke wrote:
>> If a user logs in through Facebook or links to Facebook in the account
>> service, should we logout the Facebook when the user logs out?  My
>> thinking is that we should otherwise that machine will keep facebook
>> logged in.
>> Bill
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list