[keycloak-dev] Account management requirements for beta1

Stian Thorgersen stian at redhat.com
Thu May 1 05:28:41 EDT 2014


As long as we have a way for users to invalidate everything in accnt mngmt I agree that's sufficient.

Setting UserModel.notBefore on user logout, would that not invalidation the session on other devices/browsers as well?

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 30 April, 2014 7:24:01 PM
> Subject: Re: [keycloak-dev] Account management requirements for beta1
> 
> We have most of this via a not-before policy you can set at the realm
> level, application, client, or user level.  No ability yet to view
> tokens that have been given out though and which may still be valid.
> Only an admin can set the not-before policy right now.
> 
> Tasks:
> 
> * Make sure all not before policies are checked before login or refresh
> * Set UserModel.notBefore when a user does a logout.
> * Allow user to invalidate all grants (sets a UserModel.notBefore(now)
> policy)
> 
> Not a priority:
> * Allow a user to view and invalidate specific oauth grants.  We can
> just make it all or nothing.  I just think there's higher priority
> things to do.
> 
> On 4/30/2014 12:17 PM, Stian Thorgersen wrote:
> > With regards to account management what additional requirements do we have
> > for beta1?
> >
> > Features I can think off to add now or in the future includes:
> >
> > * Manage refresh tokens - view applications and clients that have refresh
> > tokens, and the ability to invalidate specific tokens
> > * Manage devices - view browsers and devices that have access (remember me
> > cookie?), and the ability to invalidate specific cookies
> > * Manage devices that can bypass totp - it seems to be quite common that
> > it's possible to not require asking for totp again for a specific device,
> > I assume this is done by setting a cookie, if we enable this it should be
> > possible to view what devices have this option, as well as invalidate them
> > * Manage applications - view all applications, be able to navigate to an
> > application, and the ability to invalidate access to specific application
> > * Manage clients - view all clients and what grants they have, and the
> > ability to revoke access to specific client
> >
> > I think listing client grants, invalidate specific client grants, and a
> > logout everything option would be sufficient. The logout everything option
> > would invalidate any refresh tokens, remember me cookies, 'skip' totp
> > cookies and do a sso-logout.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list