Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5449

Optimize front-channel logout - Via IFRAME



    • Task
    • Resolution: Duplicate
    • Major
    • None
    • None
    • None
    • None


      Derived from KEYCLOAK-4899.

      The algorithm in AuthenticationManager.browserLogout works in a way that:

      • It finds the userSession and tracks all the clients supporting backchannel logout. The Logout request is sent to them
      • For the frontchannel logout, which is currently supported just for SAML, there is a chain of browser redirects . The particular client redirects back to keycloak after doing it's logout and then Keycloak redirects to other frontchannel client. Keycloak tracks, which client needs to be logged-out through the update on userSession. So currently when there is userSession with N fronchannel clients, there are N+1 updates to the userSession during logout before userSession is finally removed.

      [mposolda@redhat.com] thinks that for cross-dc, we may optimize to have just 1 write to userSession. We can improve this by:

      • Using iframes for the frontchannel logout. There is some discussion on ML [1] . Using iframes has some other advantages and generally it's much better and more robust than browser redirects approach.

      [1] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009267.html

      This feature is almost complete and involves fixing a TODO in this branch in this commit:

      This would most likely lead to a parameter of client that would define allowed origins to be allowed to load from within IFRAME as set by Content-Security-Policy.

      Note that currently the frontchannel logout is only supported by SAML clients.


        Issue Links


            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: KEYCLOAK


                Unassigned Unassigned
                hmlnarik@redhat.com Hynek Mlnařík
                0 Vote for this issue
                6 Start watching this issue