[keycloak-dev] Frontchannel logout based on iframes?

[Marek Posolda]

I went through the OIDC frontchannel logout specification draft [1] and 
realized that it relies a lot on the iframes instead of browser 
redirection. Basically OP would render HTML page with the hidden iframes 
containing the logout URL of clients like:

<iframe src="frontchannel_logout_uri">

I wonder if we should add some support for the iframes based approach 
for SAML too? It looks that many vendors including shibboleth (see [2]) 
are using it as it seem to have lots of advantages over the redirection 
based. Like:

- More reliable. With the redirection based approach used by SAML, the 
IDP needs to redirect browser to the client1, which then need to 
redirect back to IDP, which continues with redirection to client2 etc. 
Problem is, that if any client is broken, then whole flow will break and 
logout won't be finished properly.

- Better performance. Logout requests would be sent concurrently to all 
the clients.

- Better for cross-dc as there is no need for more writes to userSession 
cache. IDP would just render the html with iframes in single request and 
then remove userSession entirely.

Possible disadvantages:
- iframes may be blocked on the SP side.

- It will require some javascript though as for SAML-SP initiated 
logout, the IDP needs to send the LogoutResponse back to the SP, which 
initiated logout. Which means that once HTML with iframes is rendered 
and all the iframe requests are finished, there would need to be some 
callback, which will automatically redirect browser back to SP with 
LogoutResponse.

- POST binding for logout. Not sure if this would work with iframes, but 
I suppose there are some ways how to solve that (automatically submitted 
form through javascript etc).

- Anything else?

WDYT? Do we want to add some support for iframes based logout to our 
SAML clients?


[1] http://openid.net/specs/openid-connect-frontchannel-1_0.html
[2] https://www.switch.ch/aai/support/presentations/update2016/07_logout.pdf

Marek