[keycloak-dev] User sessions added
Stian Thorgersen
stian at redhat.com
Fri May 9 09:57:40 EDT 2014
Good thing we are slow about different things, otherwise we'd not manage to do anything ;)
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 9 May, 2014 2:52:20 PM
> Subject: Re: [keycloak-dev] User sessions added
>
> Duh... :) Now its my turn to be slow...
>
> So the iframe solution is a good one :) I'll add it to keycloak.js
>
>
> On 5/9/2014 9:38 AM, Stian Thorgersen wrote:
> > Could we not have a separate session state cookie that is not HttpOnly?
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Friday, 9 May, 2014 2:36:09 PM
> >> Subject: Re: [keycloak-dev] User sessions added
> >>
> >> That's what I was saying before. There is no benefit in using Iframes
> >> if your login cookies are HttpOnly. Your set timeout is *already*
> >> happening indirectly via refresh tokens.
> >>
> >> The only other benefit might be in that you'd have to enable CORS for
> >> that "ping" request which might be a pain.
> >>
> >> On 5/9/2014 9:10 AM, Stian Thorgersen wrote:
> >>> What then is the benefit of having this iframe compared to just adding
> >>> something like the following to keycloak.js:
> >>>
> >>> setTimeout(function() {
> >>> var req = new XMLHttpRequest();
> >>> req.open('GET',
> >>> 'http://localhost:8080/auth/rest/realms/realm/tokens/session-status?session_state=...',
> >>> true);
> >>> req.onreadystatechange = function () {
> >>> if (req.readyState == 4 && req.status == 200) {
> >>> var status = JSON.parse(req.responseText);
> >>> if (!status.active) {
> >>> clearToken();
> >>> }
> >>> }
> >>> }
> >>> req.send();
> >>> }, 3000);
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: keycloak-dev at lists.jboss.org
> >>>> Sent: Friday, 9 May, 2014 1:41:02 PM
> >>>> Subject: Re: [keycloak-dev] User sessions added
> >>>>
> >>>>
> >>>>
> >>>> On 5/9/2014 6:59 AM, Stian Thorgersen wrote:
> >>>>> User sessions have been added. In summary when a user logs in a new
> >>>>> session
> >>>>> is created (and persisted in the model). The identity cookie as well as
> >>>>> all tokens/refresh-tokens are associated with a session. When a user
> >>>>> logs
> >>>>> out the session is invalidated (removed from the model), which
> >>>>> invalidates
> >>>>> the identity cookie and all tokens/refresh-tokens.
> >>>>>
> >>>>> There's two related issues left to do:
> >>>>>
> >>>>> * Make sure adapters only log out a specific session (if LoginAction
> >>>>> contains a session id)
> >>>>> * Allow a user to log out all sessions through the account management
> >>>>> console
> >>>>>
> >>>>> Also, we may want some mechanism to retrieve the status of a session
> >>>>> from
> >>>>> applications. This could be a REST endpoint, or the crazy iframe
> >>>>> technique
> >>>>> from OpenID Connect. I think this can be postponed to after 1.0 though.
> >>>>>
> >>>>
> >>>> The crazy IFrame techique would require this REST "ping". At least for
> >>>> us, as our cookies would be http-only.
> >>>>
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list