Details
-
Task
-
Resolution: Duplicate
-
Major
-
None
-
None
-
None
-
None
Description
Derived from KEYCLOAK-4899.
The algorithm in AuthenticationManager.browserLogout works in a way that:
- It finds the userSession and tracks all the clients supporting backchannel logout. The Logout request is sent to them
- For the frontchannel logout, which is currently supported just for SAML, there is a chain of browser redirects . The particular client redirects back to keycloak after doing it's logout and then Keycloak redirects to other frontchannel client. Keycloak tracks, which client needs to be logged-out through the update on userSession. So currently when there is userSession with N fronchannel clients, there are N+1 updates to the userSession during logout before userSession is finally removed.
[mposolda@redhat.com] thinks that for cross-dc, we may optimize to have just 1 write to userSession. We can improve this by:
- Using iframes for the frontchannel logout. There is some discussion on ML [1] . Using iframes has some other advantages and generally it's much better and more robust than browser redirects approach.
[1] http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009267.html
This feature is almost complete and involves fixing a TODO in this branch in this commit:
This would most likely lead to a parameter of client that would define allowed origins to be allowed to load from within IFRAME as set by Content-Security-Policy.
Note that currently the frontchannel logout is only supported by SAML clients.
Attachments
Issue Links
- duplicates
-
KEYCLOAK-2939 OpenID Connect Front-Channel Logout
-
- Closed
-