Open vanrar68 opened 4 years ago
fperot74
commented
4 years ago Perhaps it could be possible to choose in "Valid Redirect URIs" according to the referer of the logout request? As we are currently pretty busy with many other topics, wsfed is not currently in our tasks list. Do not hesitate to submit a PR.
vanrar68
commented
4 years ago Let's imagine the following scenario:
The problem is the following: there is no way for Keycloak to "guess" the logout endpoint of Client2 among the Redirect URIs configured for Client2. That's why I'm proposing to store the logout URL in a dedicated field (the same way it's done for SAML clients, using the "Logout Service Redirect Binding URL" form field) I can submit a PR to address this issue if you're OK with that.
PS: please note that this is not related specifically to backchannel logout but more precisely to single logout (the original title of this issue was misleading, I'll open another issue regarding the backchannel logout problem)
fperot74
commented
4 years ago With the use of a dedicated field, it sounds like a clean solution. It's ok for us if you want to submit a PR : I will be reviewed with great interest.
vanrar68
commented
4 years ago Will do
Hi!
When a WSFed client sends a signout request to keycloak and the user is connected to multiple WSFed clients, keycloak will send a backchannel logout request to all other connected clients. After reading the code, the URL used to perform the backchannel logout is the first URL found in the "Valid Redirect URIs" setting of the client. This is a bad idea because the order of the values in the "Valid Redirect URIs" list cannot be chosen/forced.
Is it possible to store the backchannel logout URL in a dedicated field or use an existing field like "Admin URL" ? If not possible it should at least be mentioned in the "Valid Redirect URIs" tooltip that the first value of the list will also be used for backchannel logout purpose
Thanks Regards
-- Joaquim