The way Keycloak is chaining the WSFED logout requests when a user is connected to multiple WSFED clients can lead to the user not being disconnected from some of these clients.
Imagine the following scenario:
- a user is connected to 3 WSFED clients
- the user clicks on the logout link in Client1
- Client1 sends wa=signout1.0&wreply=LandingPage to Keycloak
- Keycloak sends (via browser redirect) wa=signoutcleanup1.0&wreply=keycloakurl to Client2
- Client 2 redirects the browser to Keycloak
- Keycloak sends (via browser redirect) wa=signoutcleanup1.0&wreply=keycloakurl to Client3
- Client 3 redirects the browser to Keycloak
- Keycloak redirects the browser to Client1 landing page
This is how things are supposed to work in a frontchannel logout scenario (exactly like for SAML but without the token)
The problem is that a few well known WSFED clients (namely Microsoft Sharepoint and Exchange OWA) won't make use of the wreply parameter when receiving a wa=signoutcleanup1.0 request. Keycloak will never get a chance to trigger a logout request directed at Client2 and Client3.
In the above scenario this means that after clicking the "logout" link in Client1, the user will still have a valid session in Client2 and Client3 and even worse, will have no clue about it.
A solution would be the following scenario:
- a user is connected to 3 WSFED clients
- the user clicks on the logout link in Client1
- Client1 sends wa=signout1.0&wreply=LandingPage to Keycloak
- Keycloak sends a response containing an iFrame pointing to Client2.logoutURL and an autoload form pointing to himself
- Keycloak sends a response containing an iFrame pointing to Client3.logoutURL and an autoload form pointing to himself
- Keycloak redirects the browser to Client1 landing page
This way the logout requests initiated by Keycloak are independent of the client behaviour.
Ideally, upon receiving a wa=signout1.0 request Keycloak could send a single response containing multiple iFrames pointing to the connected clients logout URLs in order to trigger all logouts in the same request (just like ADFS does) but that would require changes at Keycloak level.
I've implemented and tested this successfully with Sharepoint. I can submit a PR with both the current behavior and the iFrame logout as an alternative. Let me know
The way Keycloak is chaining the WSFED logout requests when a user is connected to multiple WSFED clients can lead to the user not being disconnected from some of these clients.
Imagine the following scenario:
This is how things are supposed to work in a frontchannel logout scenario (exactly like for SAML but without the token)
The problem is that a few well known WSFED clients (namely Microsoft Sharepoint and Exchange OWA) won't make use of the wreply parameter when receiving a wa=signoutcleanup1.0 request. Keycloak will never get a chance to trigger a logout request directed at Client2 and Client3.
In the above scenario this means that after clicking the "logout" link in Client1, the user will still have a valid session in Client2 and Client3 and even worse, will have no clue about it.
A solution would be the following scenario:
This way the logout requests initiated by Keycloak are independent of the client behaviour.
Ideally, upon receiving a wa=signout1.0 request Keycloak could send a single response containing multiple iFrames pointing to the connected clients logout URLs in order to trigger all logouts in the same request (just like ADFS does) but that would require changes at Keycloak level.
I've implemented and tested this successfully with Sharepoint. I can submit a PR with both the current behavior and the iFrame logout as an alternative. Let me know