Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single logout issue #44

Open
vanrar68 opened this issue Jan 10, 2020 · 4 comments
Open

Single logout issue #44

vanrar68 opened this issue Jan 10, 2020 · 4 comments

Comments

@vanrar68
Copy link

Hi!

When a WSFed client sends a signout request to keycloak and the user is connected to multiple WSFed clients, keycloak will send a backchannel logout request to all other connected clients. After reading the code, the URL used to perform the backchannel logout is the first URL found in the "Valid Redirect URIs" setting of the client. This is a bad idea because the order of the values in the "Valid Redirect URIs" list cannot be chosen/forced.

Is it possible to store the backchannel logout URL in a dedicated field or use an existing field like "Admin URL" ?
If not possible it should at least be mentioned in the "Valid Redirect URIs" tooltip that the first value of the list will also be used for backchannel logout purpose

Thanks
Regards

--
Joaquim
@fperot74
Copy link

Perhaps it could be possible to choose in "Valid Redirect URIs" according to the referer of the logout request?
As we are currently pretty busy with many other topics, wsfed is not currently in our tasks list.
Do not hesitate to submit a PR.

@vanrar68 vanrar68 changed the title Backchannel logout issue Single logout issue May 5, 2020
@vanrar68
Copy link
Author

vanrar68 commented May 5, 2020

Let's imagine the following scenario:

  • a user is connected to 2 WSFED clients
  • The user clicks on the logout link in Client1
  • Client1 sends a logout request to Keycloak (wa=wsignout1.0)
  • Keycloak now has to trigger the logout for Client2 (wa=wsignoutcleanup1.0)

The problem is the following: there is no way for Keycloak to "guess" the logout endpoint of Client2 among the Redirect URIs configured for Client2. That's why I'm proposing to store the logout URL in a dedicated field (the same way it's done for SAML clients, using the "Logout Service Redirect Binding URL" form field)
I can submit a PR to address this issue if you're OK with that.

PS: please note that this is not related specifically to backchannel logout but more precisely to single logout (the original title of this issue was misleading, I'll open another issue regarding the backchannel logout problem)

@fperot74 fperot74 mentioned this issue May 6, 2020
Merged
@fperot74
Copy link

With the use of a dedicated field, it sounds like a clean solution.
It's ok for us if you want to submit a PR : I will be reviewed with great interest.

@vanrar68
Copy link
Author

Will do

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fperot74 @vanrar68