Front-Channel Logout Support and Client Policies

32 views
Skip to first unread message

Pedro Igor

unread,
Oct 6, 2021, 10:38:39 AMOct 6
to Keycloak Dev
Hi,

We are about to support OIDC front-channel logout [1]. A very constrained and limited approach to logging out users.

One of the things that should be part of this implementation is a specific executor to enforce specific logout policies when managing clients as well as performing logout requests.

As an initial constraint, this new executor should disable front-channel logout.

I have tried to find references on what FAPI states about logout with no success. The idea is to include this executor by default in the built-in FAPI profiles.

Please, let me know your thoughts.


Regards.
Pedro Igor

Marek Posolda

unread,
Oct 15, 2021, 9:04:01 AMOct 15
to Pedro Igor, Keycloak Dev, 乗松隆志 / NORIMATSU,TAKASHI
Hi Pedro,

I am not aware of front-channel logout mentioned in FAPI. I don't have any strong opinion of whether to include executors or not in the default FAPI profiles. Ading Takashi for the case he has any feedback for this.

I've added few comments to the docs PR https://github.com/keycloak/keycloak-documentation/pull/1267 . I have few minor concerns for the code (Sorry for late review):

- In case that OIDC Client registration requests use parameter "frontchannel_logout_uri", will it makes sense to automatically switch also the switch "frontchannelLogout" to ON for this client on Keycloak? It seems to me that currently it is still OFF by default. Which means that OIDC Client Registration Request cannot register client, which will have this switch enabled by default. But maybe I am wrong here?

- The OIDC Client registration specification also mentions this parameter on the client "frontchannel_logout_session_required" . I see Keycloak does not support it right now. I wonder what happens if this parameter is used in the OIDC Client registration request? Won't we have issues like "JSONParseException: Unknown property: frontchannel_logout_session_required" or something like that? :-)

Regards,
Marek
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/0196cb8a-0866-4cbf-a599-1d9aa0e7e843n%40googlegroups.com.


Pedro Igor Craveiro e Silva

unread,
Oct 15, 2021, 10:23:37 AMOct 15
to Marek Posolda, Keycloak Dev, 乗松隆志 / NORIMATSU,TAKASHI
On Fri, Oct 15, 2021 at 10:04 AM Marek Posolda <mpos...@redhat.com> wrote:
Hi Pedro,

I am not aware of front-channel logout mentioned in FAPI. I don't have any strong opinion of whether to include executors or not in the default FAPI profiles. Ading Takashi for the case he has any feedback for this.

I have added an executor to control whether this mechanism should be used. But it was not added to the default profiles.
 

I've added few comments to the docs PR https://github.com/keycloak/keycloak-documentation/pull/1267 . I have few minor concerns for the code (Sorry for late review):

- In case that OIDC Client registration requests use parameter "frontchannel_logout_uri", will it makes sense to automatically switch also the switch "frontchannelLogout" to ON for this client on Keycloak? It seems to me that currently it is still OFF by default. Which means that OIDC Client Registration Request cannot register client, which will have this switch enabled by default. But maybe I am wrong here?

 
However, we could probably remove that flag for OIDC clients (not sure for SAML) and rely only on whether the URL is defined ... Looks simpler. It is like that because I tried to follow what we have for SAML clients.


- The OIDC Client registration specification also mentions this parameter on the client "frontchannel_logout_session_required" . I see Keycloak does not support it right now. I wonder what happens if this parameter is used in the OIDC Client registration request? Won't we have issues like "JSONParseException: Unknown property: frontchannel_logout_session_required" or something like that? :-)

Yeah, I did not include it in the representation. But we do support the capability on the server-side. In fact, we are always sending the iss and sid claims to clients.

Not sure if we should add another option to clients to control that? 

乗松隆志 / NORIMATSU,TAKASHI

unread,
Oct 16, 2021, 2:47:29 AMOct 16
to Marek Posolda, Pedro Igor, Keycloak Dev
Hello,

IMO, it is not necessarily needed to add SecureLogoutExecutor to default FAPI profiles.
I'm also not sure how Front-Channel Logout feature affects what FAPI profiles try to satisfy from security perspective.

Regards,
Takashi Norimatsu
Hitachi, Ltd.

----------
From: Marek Posolda <mpos...@redhat.com>
Sent: Friday, October 15, 2021 10:04 PM
To: Pedro Igor <pigor.c...@gmail.com>; Keycloak Dev <keyclo...@googlegroups.com>; 乗松隆志 / NORIMATSU,TAKASHI <takashi.no...@hitachi.com>
Subject: [!]Re: [keycloak-dev] Front-Channel Logout Support and Client Policies

Hi Pedro,

I am not aware of front-channel logout mentioned in FAPI. I don't have any strong opinion of whether to include executors or not in the default FAPI profiles. Ading Takashi for the case he has any feedback for this.

I've added few comments to the docs PR https://secure-web.cisco.com/195-71hYSxmj7iSHFDxT1N6zqaY2Qq6mWTfVQU8Aca9xlne-DOKEv5h2L5YPgj5w5J53spmbzkZnkV4B50TlO6ADL59QyyekLuYsF5NyzgnCD1z9QbFwMH2P8Yoe9jAKzbTT9OUb0JHG8JxJeGopE9YjgH-VHf8ANZg3E8-RsSboi6TFnAvzFbSd7hpjSQWAW-8shp-DxXr0veR0KQeJTttPibPpLSYv9ZwK-wiHvpGRTn_XgbwOtU7r94Nk7-0rlTHGfw3SBXXP-JysXLYQCrgFyNLuIgBKKTd8FAdkLP7C16pqT8pthpXNX9lg-jO5j/https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak-documentation%2Fpull%2F1267 . I have few minor concerns for the code (Sorry for late review):

- In case that OIDC Client registration requests use parameter "frontchannel_logout_uri", will it makes sense to automatically switch also the switch "frontchannelLogout" to ON for this client on Keycloak? It seems to me that currently it is still OFF by default. Which means that OIDC Client Registration Request cannot register client, which will have this switch enabled by default. But maybe I am wrong here?

- The OIDC Client registration specification also mentions this parameter on the client "frontchannel_logout_session_required" . I see Keycloak does not support it right now. I wonder what happens if this parameter is used in the OIDC Client registration request? Won't we have issues like "JSONParseException: Unknown property: frontchannel_logout_session_required" or something like that? :-)

Regards,
Marek


On 06. 10. 21 16:38, Pedro Igor wrote:
Hi,

We are about to support OIDC front-channel logout [1]. A very constrained and limited approach to logging out users.

One of the things that should be part of this implementation is a specific executor to enforce specific logout policies when managing clients as well as performing logout requests.

As an initial constraint, this new executor should disable front-channel logout.

I have tried to find references on what FAPI states about logout with no success. The idea is to include this executor by default in the built-in FAPI profiles.

Please, let me know your thoughts.

[1] https://secure-web.cisco.com/1WILJAhnqSpP9glHW8Z1dvl0aqq_wThLc8v0KK4iP793IA5nXIceJQacQ4o_8aG1HxQeG_q6if0SzaYQOz0VHuZK20jIUpe3_p_uC7wfH8EflRMHtMrscgjr99_64xFiU83L14Jgc2MsTTriu8TPSGa1m_Xa8GgXiRAH1HQGdYbLm98lElwR90NX28acbh0jbPQ3utD7BIhf0b30ukp_ZziQdX6kY1OQkA95zYTlz7yy_GZLbpirqfVD8E3uEDCkhdsKXLTaH6upVX5595JM0ToqKX7wwNYX5gzQIskpB31Gxy2Hy-akuJq43RZun439p/https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fpull%2F8081

Regards.
Pedro Igor
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mailto:keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://secure-web.cisco.com/1RhpVzyWnXMraBlDWpa_B5ZpIrNUirjMAVzG35IWf_9hmRTukHxwS61-Bzecjc1cFPIv9VtZ3FewiB98TL31HlnDNAW8Z0EoetIOHlpv9QN5ig9Vx4jNk71L10geib7t17Zm3W0j_D5Vme5-0HI25sxs51GdhsfwnMJ3YaZ6QGs4-mZ_VDt1hqTNwBL1aV9DMV2vwblRqF_tm1_sY8i9qQiYNaFS0f5R8wga9YeoGA0ERBGXmPsiclHv4m7rnJSHGqhHInaCeD879OjN7_-meKe5uM0CiEdhBU5kTp5co33LBIsSn72TTa9p9kTvhrA63/https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2F0196cb8a-0866-4cbf-a599-1d9aa0e7e843n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter.

Marek Posolda

unread,
Oct 18, 2021, 1:38:13 PMOct 18
to Pedro Igor Craveiro e Silva, Keycloak Dev, 乗松隆志 / NORIMATSU,TAKASHI
On 15. 10. 21 16:23, Pedro Igor Craveiro e Silva wrote:


On Fri, Oct 15, 2021 at 10:04 AM Marek Posolda <mpos...@redhat.com> wrote:
Hi Pedro,

I am not aware of front-channel logout mentioned in FAPI. I don't have any strong opinion of whether to include executors or not in the default FAPI profiles. Ading Takashi for the case he has any feedback for this.

I have added an executor to control whether this mechanism should be used. But it was not added to the default profiles.
Yes, I saw that. I think it is good that you added that executor. But not sure if there is a need to add it to the default FAPI profiles.

 

I've added few comments to the docs PR https://github.com/keycloak/keycloak-documentation/pull/1267 . I have few minor concerns for the code (Sorry for late review):

- In case that OIDC Client registration requests use parameter "frontchannel_logout_uri", will it makes sense to automatically switch also the switch "frontchannelLogout" to ON for this client on Keycloak? It seems to me that currently it is still OFF by default. Which means that OIDC Client Registration Request cannot register client, which will have this switch enabled by default. But maybe I am wrong here?

Ah, ok. I missed this :-) Thanks for pointing it!

 
However, we could probably remove that flag for OIDC clients (not sure for SAML) and rely only on whether the URL is defined ... Looks simpler. It is like that because I tried to follow what we have for SAML clients.


- The OIDC Client registration specification also mentions this parameter on the client "frontchannel_logout_session_required" . I see Keycloak does not support it right now. I wonder what happens if this parameter is used in the OIDC Client registration request? Won't we have issues like "JSONParseException: Unknown property: frontchannel_logout_session_required" or something like that? :-)

Yeah, I did not include it in the representation. But we do support the capability on the server-side. In fact, we are always sending the iss and sid claims to clients.

Not sure if we should add another option to clients to control that?

I think we don't need another option. I think it is fine to always send "sid" and "iss" as you pointed. I was just wondering if someone sends the OIDC registration request with the option "frontchannel_logout_session_required", whether Keycloak doesn't throw some strange exception about unknown field.

I am not 100% sure if we support unknown fields for the OIDC client representation. Maybe we can wait if this turns to be an issue and someone reports a bug. Otherwise we probably don't need to care much IMO?

Marek

Marek Posolda

unread,
Oct 18, 2021, 1:38:32 PMOct 18
to 乗松隆志 / NORIMATSU,TAKASHI, Pedro Igor, Keycloak Dev
+1

Marek
Reply all
Reply to author
Forward
0 new messages