How to prevent logout in all application ?
640 views
Skip to first unread message
Nico
Jan 19, 2022, 4:52:32 AM1/19/22
to Keycloak User
Hello,
I have a question. Our platform authorize third-party developers to create there OIDC client and use the realm SSO to login in their application. This sound normal.
But when a user logout from one of this third-party application, for exemple if the application use
https://our-keycloak.org/auth/realms/our-realm/protocol/openid-connect/logout
It will invalidate every keycloak session of every aplication, even the one which use a different client !
Is there a way to prevent this ? Maybe just logout application one same domain ?
I will take the exemple of google or facebook. If tomorrow I login on Deezer (or spotify) with my facebook account. Then if I logout from spotify, I won't be logout from facebook. I'm pretty sure that facebook have protection against that.
How does it works from an OIDC point of view ?
Thanks,
Regards.
I have a question. Our platform authorize third-party developers to create there OIDC client and use the realm SSO to login in their application. This sound normal.
But when a user logout from one of this third-party application, for exemple if the application use
https://our-keycloak.org/auth/realms/our-realm/protocol/openid-connect/logout
It will invalidate every keycloak session of every aplication, even the one which use a different client !
Is there a way to prevent this ? Maybe just logout application one same domain ?
I will take the exemple of google or facebook. If tomorrow I login on Deezer (or spotify) with my facebook account. Then if I logout from spotify, I won't be logout from facebook. I'm pretty sure that facebook have protection against that.
How does it works from an OIDC point of view ?
Thanks,
Regards.
C R
Jan 19, 2022, 3:23:28 PM1/19/22
to Nico, Keycloak User
I think you're describing Single Sign On and Single Log Out. The
behaviour looks as expected to me in a single realm.
C.
> --
> You received this message because you are subscribed to the Google Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/2ea5c3f0-af33-498d-a7b8-56ef6a4c7690n%40googlegroups.com.
behaviour looks as expected to me in a single realm.
C.
> You received this message because you are subscribed to the Google Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/2ea5c3f0-af33-498d-a7b8-56ef6a4c7690n%40googlegroups.com.
Nico
Jan 20, 2022, 4:43:29 AM1/20/22
to Keycloak User
So, how facebook or google process from an OIDC point of view to allow login other third-party application using google/facebook without beeing logged out from the application if a logout is initied on the third party application ?
C R
Feb 1, 2022, 3:31:17 AM2/1/22
to Nico, Keycloak User
Facebook and Google offer Single Logout for their applications. E.g.,
If you logout in gmail, calendar will also logout. What you are
describing is they providing an external login service. They are not
sharing their realm.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/87cc8ba7-4dee-470f-9de0-d691cbd02e1fn%40googlegroups.com.
If you logout in gmail, calendar will also logout. What you are
describing is they providing an external login service. They are not
sharing their realm.
Nico
Mar 1, 2022, 6:03:32 AM3/1/22
to Keycloak User
Ok thanks for the info,
So I guess in a keycloak way it will be a "master" realm with all the users inside, and for developers let's say a "developer" realm with an Identity Provider connected to "master" to have access to master account ? But in that case in keycloak I think it's duplicating account from master to developer realm.
So I guess in a keycloak way it will be a "master" realm with all the users inside, and for developers let's say a "developer" realm with an Identity Provider connected to "master" to have access to master account ? But in that case in keycloak I think it's duplicating account from master to developer realm.
Reply all
Reply to author
Forward
0 new messages