[keycloak-dev] logout social providers?

Marek Posolda mposolda at redhat.com
Mon Mar 27 11:53:23 EDT 2017

Both options are quite bad imo. But likely better to prefer security 
over usability...

Btv. It looks that currently we never propagate Keycloak logout to 
Facebook. And probably it's same for other social networks.

It looks that FB has some possibility how to propagate logout and it's 
even able to divide between the cases when user was already logged or 
not. There is this for Javascript API [1] and some possibilities here, 
which may work for server-side apps too [2] . But it looks that you need 
Facebook accessToken to logout.

[1] https://developers.facebook.com/docs/reference/javascript/FB.logout
[2] http://stackoverflow.com/questions/2764436/facebook-oauth-logout


On 27/03/17 16:24, Bill Burke wrote:
> Like marek said, you can't really tell if facebook was already logged 
> in or not.  IMO, it is better to annoy the user than the alternative 
> of somebody taking over somebody's Facebook account because they 
> stepped away from the computer.
> On 3/27/17 7:27 AM, Konstantin Gribov wrote:
>> +1 to Marek, if you logged in in keycloak through identity provider 
>> like fb/google/github/whatever user'd be greatly annoyed by logging 
>> him out from fb (and all applications which used that login that 
>> don't go through keycloak) just because user logged out of some 
>> keycloak-integrated application.
>> пн, 27 мар. 2017 г. в 10:13, Marek Posolda <mposolda at redhat.com 
>> <mailto:mposolda at redhat.com>>:
>>     IMO the logout of child broker should be propagated to parent broker
>>     logout just in case, that parent broker was actively authenticated
>>     because of child broker.
>>     In other words, when I click to "Sign In with Facebook" on Keycloak
>>     login screen, but I am already authenticated to Facebook (hence no
>>     Facebook login screen is displayed), then logout from KC shouldn't
>>     logout me from Facebook IMO.
>>     However I don't know if it's possible to detect this. In case that
>>     Keycloak is used as parent broker, we have "auth_time" as a claim
>>     in the
>>     token, so we can decide if parent Keycloak broker was actively
>>     authenticated because of our request. Not sure if Facebook, Google,
>>     Twitter and others OIDC providers have something like this. Also not
>>     even sure if Facebook (and other social providers) allow you to
>>     logout
>>     their session from the "child" app...
>>     Marek
>>     On 25/03/17 17:53, Bill Burke wrote:
>>     > Actually its just account linking that is effected.  If you log in
>>     > through Facebook, you will log out of facebook.  I assume we want a
>>     > logout to happen to linked accounts too.
>>     >
>>     >
>>     > On 3/25/17 12:43 PM, Bill Burke wrote:
>>     >> If a user logs in through Facebook or links to Facebook in the
>>     account
>>     >> service, should we logout the Facebook when the user logs out?  My
>>     >> thinking is that we should otherwise that machine will keep
>>     facebook
>>     >> logged in.
>>     >>
>>     >> Bill
>>     >>
>>     > _______________________________________________
>>     > keycloak-dev mailing list
>>     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>     _______________________________________________
>>     keycloak-dev mailing list
>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> -- 
>> Best regards,
>> Konstantin Gribov

More information about the keycloak-dev mailing list