[keycloak-user] Session state iframe doesn't work reliably
Виталий Ищенко
betalb at gmail.com
Sun Dec 3 07:49:34 EST 2017
Found some issues in KC tracker, looks like both of them are related to
CORS error that I was referring to
https://issues.jboss.org/browse/KEYCLOAK-4214
https://issues.jboss.org/browse/KEYCLOAK-5304
1st one seems to be In Progress, but it was moved to this status 6 months
ago
On Thu, Nov 30, 2017 at 3:09 PM Виталий Ищенко <betalb at gmail.com> wrote:
> Hello
>
> I'm trying to setup seamless logout flow for SPA, but falling into issue
> in the following scenario
>
> User is logged-in with a public client using code grant and check login
> iframe enabled.
> I see that KEYCLOAK_SESSION cookie is set during code exchange phase, and
> later used in iframe to validate user session
>
> Application refreshes token using refresh_token when access_token is close
> to expiration
>
> Now I log user out from application using Keycloak admin app
>
> I do not expect that user should be logged-out immediately.
> But what I do expect is to get error response from a token endpoint, when
> I will try to refresh token next time.
> Response, returned by OP, doesn't have Cors Headers, so application can't
> access any information from response that will allow distinguishing between
> network error and cors related errors
>
> Other option may be to clear cookie in response to token endpoint call
>
> Any help will be appreciated
>
More information about the keycloak-user
mailing list