[keycloak-dev] Implementation of Front-Channel Logout for OpenID Connect clients

Stian Thorgersen sthorger at redhat.com
Tue Mar 12 13:57:07 EDT 2019


I have my worries about this spec. It was proposed back in Jan 2017 and is
still in draft state. It seems to be abandoned.

Before adding support for this spec we should look for alternatives and
check what the status is of the spec and why nothing is happening with it.

On Tue, 12 Mar 2019 at 13:16, Diego Liberalquino <diegoliber at gmail.com>
wrote:

> Hi,
>
> I want to make the contribution, yes. I'm very interested that this feature
> gets implemented on Keycloak. It'll take some time though, I'm still
> familiarizing myself with Keycloak's test suite, so I want to make sure my
> contribution doesn't break anything.
>
> I've read this discussion about iframe based logout on SAML and agree on
> 100% percent that the iframe-based approach is the best solution for this
> problem and I was already getting inspiration from the SAML implementation.
> OIDC FrontChannel Spec also expects the use of iframes [1].
>
> Thanks for the follow up!
>
> [1] https://openid.net/specs/openid-connect-frontchannel-1_0.html
>
> Diego
>
> On Tue, Mar 12, 2019 at 8:36 AM Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
> > Link to the discussion was broken:
> > [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.html
> >
> > Am Di., 12. März 2019 um 12:30 Uhr schrieb Marek Posolda <
> > mposolda at redhat.com>:
> >
> >> Hi,
> >>
> >> there is this JIRA opened already [1] . We have it planned, so we want
> >> to look at it, but lack of other things caused that this wasn't
> >> prioritized in last years... Do you want to contribute the feature?
> >>
> >> BTV. There is this old discussion when we discuss the "iframes" to be
> >> used for frontchannel logout rather than redirect based approach [2].
> >> You can see some more context by going through this old thread. I think
> >> that we already support iframe based frontchannel logout for SAML
> >> specification, or at least it is already available in Hynek's branch as
> >> mentioned in the comment of this JIRA [3]. So hopefully OIDC can re-use
> >> some parts of it.
> >>
> >> Let us know if you're interested in contributing this.
> >>
> >> [1] https://issues.jboss.org/browse/KEYCLOAK-2939
> >> [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.htm
> >> [3] https://issues.jboss.org/browse/KEYCLOAK-5449
> >>
> >> Marek
> >>
> >> On 10/03/2019 04:03, Diego Liberalquino wrote:
> >> > Hello,
> >> >
> >> > A thing that bothers me on Keycloak is the lack of implementation of
> >> > Front-Channel Logout for OpenID Clients. Is there any technical reason
> >> for
> >> > this or is just awaiting a community contribution? I mean, the spec is
> >> > supported for SAML clients, and it also works for external OIDC
> >> providers.
> >> >
> >> > Best regards,
> >> > Diego Liberalquino
> >> > _______________________________________________
> >> > keycloak-dev mailing list
> >> > keycloak-dev at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list