-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The Login Status API Set-Login header in a Disconnect Endpoint Response #558
Comments
That's a bit surprising to me, because the By that I mean: a part from the bug that you found, are you really sure you want to log out the user at the IdP when the user revokes the connection from the RP? If that's a deliberate choice, yeah, that's a bug we can look into, I'm just trying to make sure that the intention is clear. |
+1 to what Sam says. But I also don't think that any of the FedCM fetches themselves can set the login status of the IDP. Maybe @cbiesinger knows for sure? |
It's actually supposed to work. I am not immediately sure why it doesn't. Could you file a bug at crbug.com/new? |
I was imagining it would not work due to the ancestor chain check. In the spec, https://fedidcg.github.io/FedCM/#login-status-http early returns if |
This again raises the question what the FedCM is for and what Keycloak would like to use it for. If possible Keycloak would ideally like to get rid of the Keycloak Javascript Adapter used in authentication and logout process. FedCM kind of allows users to log-in with the IdP (with the button mode and with the dynamic sign-in flow) which Keycloak benefits from; enable users to login. It would be only natural to offer the option to log them out. The disconnect endpoint doesn't suggest an actual logout, only a browser's removal of the triplet (account, RP, IdP). But it is the only place where a logout is suited to be be offered. At least that's the idea of our prototype. Perhaps @jonkoops and @stianst could know more about KeycloakJS and correct me. |
Can you help us understand why you need an API to logout from the IDP though? I think we have clarified that |
I think one way to implement "disconnect" in keycloak could be:
I think this would follow the intent of the disconnect operation better. Wdyt? |
I think that makes sense. Also note that |
Yes, you are right. The prototype includes setting the headers in parts of Keycloak responsible for signing in and out. My problem was looking at this from the wrong perspective and seeing the disconnect process as the equivalent of signing out. What @thomasdarimont wrote definitely works. I guess this issue is not relevant anymore. |
Great to hear. Closing this if this is resolved, feel free to reopen if there is still something that we need to act on. |
This is more of a Chrome implementation issue rather than a FedCM API issue.
In the Keycloak implementation of FedCM API (keycloak/keycloak#16834) we would like to use the disconnect endpoint to perform an actual SSO logout and leverage the Login Status API. Which also means updating the user agent's Login Status Map. The easiest and most convenient way is with the HTTP header in a response from this endpoint.
According to the Login Status API specification you can set the value of the login status with JavScript or an HTTP header. However when I try to return the
Set-Login: logged-out
header in a response from the disconnect endpoint Chrome does not seem to recognize it and does not properly update the Login Status Map.Here is a code snippet of the return statement in my Disconnect Endpoint implemented with JAX-RS:
After the user tries to login with IdP via FedCM again, the expected output is "Not signed in with the identity provider." but instead an empty list returns from the accounts list endpoint. I would guess this is a problem with the "cors" mode response which I am not very familiar with.
There can be made some workarounds to update the map, but it just seems unnecessary.
The text was updated successfully, but these errors were encountered: