Frontchannel logout problem #47
Comments
|
FYI the logout chaining problem is described in section 4.2 and in section 13.1.2 of the WSFED specs. |
|
Ideally, it would be great to have a toggle button to enable serial (like for SAML) or parallel (iframe) logout mechanism. |
|
I'll submit a PR for this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The way Keycloak is chaining the WSFED logout requests when a user is connected to multiple WSFED clients can lead to the user not being disconnected from some of these clients.
Imagine the following scenario:
This is how things are supposed to work in a frontchannel logout scenario (exactly like for SAML but without the token)
The problem is that a few well known WSFED clients (namely Microsoft Sharepoint and Exchange OWA) won't make use of the wreply parameter when receiving a wa=signoutcleanup1.0 request. Keycloak will never get a chance to trigger a logout request directed at Client2 and Client3.
In the above scenario this means that after clicking the "logout" link in Client1, the user will still have a valid session in Client2 and Client3 and even worse, will have no clue about it.
A solution would be the following scenario:
This way the logout requests initiated by Keycloak are independent of the client behaviour.
Ideally, upon receiving a wa=signout1.0 request Keycloak could send a single response containing multiple iFrames pointing to the connected clients logout URLs in order to trigger all logouts in the same request (just like ADFS does) but that would require changes at Keycloak level.
I've implemented and tested this successfully with Sharepoint. I can submit a PR with both the current behavior and the iFrame logout as an alternative. Let me know
The text was updated successfully, but these errors were encountered: