[keycloak-dev] Account management requirements for beta1

Stian Thorgersen stian at redhat.com
Thu May 1 10:14:47 EDT 2014 

Yes, it should log out from all applications and clients, but not all devices.

To confirm, resources to invalidate includes:

* Refresh tokens
* Identity cookie
* Remember-me cookie

What about when a user logs in we create a unique "login-code" for that device that is stored in the identity cookie. All refresh tokens and remember-me cookies are then associated with this code as well. A UserModel would have a list of valid "login-codes", and on a standard logout the "login-code" from the current identity cookie would be removed from the UserModel. This would invalidate all refresh tokens and cookies created for that particular device/browser.

In account management we'd have an additional option to log out everything. Doing this would set the notBefore on the UserModel to "now", as well as remove all "login-codes". This would invalidate all current refresh tokens and cookies for all devices/browsers.

With regards to OAuth Grants, as we don't currently remember what grants a user has given to a client I don't think we need to add anything in account management for it. Once we remember grants then we should also allow users to view and revoke grants.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 1 May, 2014 2:58:43 PM
> Subject: Re: [keycloak-dev] Account management requirements for beta1
> 
> How do you propose single logout works then?  You want single log out to
> be a single click, not a questionaire on which apps to log out of.
> 
> On 5/1/2014 9:12 AM, Stian Thorgersen wrote:
> > That's pretty rubbish though. Say I've got a desktop, a laptop and a
> > mobile, and they're all logged-in with a remember-me cookie. Then I use a
> > friends or a library computer, and after I've clicked logout there I'm
> > logged out everywhere. That's really annoying, especially for mobiles.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 1 May, 2014 2:05:28 PM
> >> Subject: Re: [keycloak-dev] Account management requirements for beta1
> >>
> >>
> >>
> >> On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
> >>> As long as we have a way for users to invalidate everything in accnt
> >>> mngmt
> >>> I agree that's sufficient.
> >>>
> >>> Setting UserModel.notBefore on user logout, would that not invalidation
> >>> the
> >>> session on other devices/browsers as well?
> >>>
> >>
> >> Yes, for those apps that don't have an HTTP session that can be
> >> invalidated, they will eventually have to do a refresh and the refresh
> >> token would be invalid which would force a relog.
> >>
> >>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list