[keycloak-dev] Implementation of Front-Channel Logout for OpenID Connect clients

Stian Thorgersen sthorger at redhat.com
Thu Mar 14 10:44:34 EDT 2019


Got confirmation from the OIDC group that session management and both
logout specifications are on track to be made finalised soon.

So - Contributions welcome :)

On Tue, 12 Mar 2019 at 18:57, Stian Thorgersen <sthorger at redhat.com> wrote:

> I have my worries about this spec. It was proposed back in Jan 2017 and is
> still in draft state. It seems to be abandoned.
>
> Before adding support for this spec we should look for alternatives and
> check what the status is of the spec and why nothing is happening with it.
>
> On Tue, 12 Mar 2019 at 13:16, Diego Liberalquino <diegoliber at gmail.com>
> wrote:
>
>> Hi,
>>
>> I want to make the contribution, yes. I'm very interested that this
>> feature
>> gets implemented on Keycloak. It'll take some time though, I'm still
>> familiarizing myself with Keycloak's test suite, so I want to make sure my
>> contribution doesn't break anything.
>>
>> I've read this discussion about iframe based logout on SAML and agree on
>> 100% percent that the iframe-based approach is the best solution for this
>> problem and I was already getting inspiration from the SAML
>> implementation.
>> OIDC FrontChannel Spec also expects the use of iframes [1].
>>
>> Thanks for the follow up!
>>
>> [1] https://openid.net/specs/openid-connect-frontchannel-1_0.html
>>
>> Diego
>>
>> On Tue, Mar 12, 2019 at 8:36 AM Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>> > Link to the discussion was broken:
>> > [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.html
>> >
>> > Am Di., 12. März 2019 um 12:30 Uhr schrieb Marek Posolda <
>> > mposolda at redhat.com>:
>> >
>> >> Hi,
>> >>
>> >> there is this JIRA opened already [1] . We have it planned, so we want
>> >> to look at it, but lack of other things caused that this wasn't
>> >> prioritized in last years... Do you want to contribute the feature?
>> >>
>> >> BTV. There is this old discussion when we discuss the "iframes" to be
>> >> used for frontchannel logout rather than redirect based approach [2].
>> >> You can see some more context by going through this old thread. I think
>> >> that we already support iframe based frontchannel logout for SAML
>> >> specification, or at least it is already available in Hynek's branch as
>> >> mentioned in the comment of this JIRA [3]. So hopefully OIDC can re-use
>> >> some parts of it.
>> >>
>> >> Let us know if you're interested in contributing this.
>> >>
>> >> [1] https://issues.jboss.org/browse/KEYCLOAK-2939
>> >> [2] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009260.htm
>> >> [3] https://issues.jboss.org/browse/KEYCLOAK-5449
>> >>
>> >> Marek
>> >>
>> >> On 10/03/2019 04:03, Diego Liberalquino wrote:
>> >> > Hello,
>> >> >
>> >> > A thing that bothers me on Keycloak is the lack of implementation of
>> >> > Front-Channel Logout for OpenID Clients. Is there any technical
>> reason
>> >> for
>> >> > this or is just awaiting a community contribution? I mean, the spec
>> is
>> >> > supported for SAML clients, and it also works for external OIDC
>> >> providers.
>> >> >
>> >> > Best regards,
>> >> > Diego Liberalquino
>> >> > _______________________________________________
>> >> > keycloak-dev mailing list
>> >> > keycloak-dev at lists.jboss.org
>> >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>
>> >>
>> >> _______________________________________________
>> >> keycloak-dev mailing list
>> >> keycloak-dev at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>


More information about the keycloak-dev mailing list