[keycloak-dev] Implementation of Front-Channel Logout for OpenID Connect clients

Diego Liberalquino diegoliber at gmail.com
Tue Mar 12 08:12:30 EDT 2019


Hi,

I want to make the contribution, yes. I'm very interested that this feature
gets implemented on Keycloak. It'll take some time though, I'm still
familiarizing myself with Keycloak's test suite, so I want to make sure my
contribution doesn't break anything.

I've read this discussion about iframe based logout on SAML and agree on
100% percent that the iframe-based approach is the best solution for this
problem and I was already getting inspiration from the SAML implementation.
OIDC FrontChannel Spec also expects the use of iframes [1].

Thanks for the follow up!

[1] https://openid.net/specs/openid-connect-frontchannel-1_0.html

Diego

On Tue, Mar 12, 2019 at 8:36 AM Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Link to the discussion was broken:
> [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.html
>
> Am Di., 12. März 2019 um 12:30 Uhr schrieb Marek Posolda <
> mposolda at redhat.com>:
>
>> Hi,
>>
>> there is this JIRA opened already [1] . We have it planned, so we want
>> to look at it, but lack of other things caused that this wasn't
>> prioritized in last years... Do you want to contribute the feature?
>>
>> BTV. There is this old discussion when we discuss the "iframes" to be
>> used for frontchannel logout rather than redirect based approach [2].
>> You can see some more context by going through this old thread. I think
>> that we already support iframe based frontchannel logout for SAML
>> specification, or at least it is already available in Hynek's branch as
>> mentioned in the comment of this JIRA [3]. So hopefully OIDC can re-use
>> some parts of it.
>>
>> Let us know if you're interested in contributing this.
>>
>> [1] https://issues.jboss.org/browse/KEYCLOAK-2939
>> [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.htm
>> [3] https://issues.jboss.org/browse/KEYCLOAK-5449
>>
>> Marek
>>
>> On 10/03/2019 04:03, Diego Liberalquino wrote:
>> > Hello,
>> >
>> > A thing that bothers me on Keycloak is the lack of implementation of
>> > Front-Channel Logout for OpenID Clients. Is there any technical reason
>> for
>> > this or is just awaiting a community contribution? I mean, the spec is
>> > supported for SAML clients, and it also works for external OIDC
>> providers.
>> >
>> > Best regards,
>> > Diego Liberalquino
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>


More information about the keycloak-dev mailing list