• Type: Task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:


      Derived from KEYCLOAK-4899.

      The algorithm in AuthenticationManager.browserLogout works in a way that:

      • It finds the userSession and tracks all the clients supporting backchannel logout. The Logout request is sent to them
      • For the frontchannel logout, which is currently supported just for SAML, there is a chain of browser redirects . The particular client redirects back to keycloak after doing it's logout and then Keycloak redirects to other frontchannel client. Keycloak tracks, which client needs to be logged-out through the update on userSession. So currently when there is userSession with N fronchannel clients, there are N+1 updates to the userSession during logout before userSession is finally removed.

      [Marek Posolda] thinks that for cross-dc, we may optimize to have just 1 write to userSession. We can improve this by:

      • Using iframes for the frontchannel logout. There is some discussion on ML [1] . Using iframes has some other advantages and generally it's much better and more robust than browser redirects approach.


      This feature is almost complete and involves fixing a TODO in this branch in this commit:

      This would most likely lead to a parameter of client that would define allowed origins to be allowed to load from within IFRAME as set by Content-Security-Policy.

      Note that currently the frontchannel logout is only supported by SAML clients.

        Gliffy Diagrams


            Issue Links



                • Assignee:
                  hmlnarik Hynek Mlnařík
                • Votes:
                  0 Vote for this issue
                  6 Start watching this issue


                  • Created: