[keycloak-dev] User sessions added
Bill Burke
bburke at redhat.com
Fri May 9 18:35:15 EDT 2014
BTW, my only problem with this approach is that it requires a database
update/insert on every login and a update/delete on every logout, making
the database a big source of contention. Especially since we can pretty
much cache everything else.
On 5/9/2014 6:59 AM, Stian Thorgersen wrote:
> User sessions have been added. In summary when a user logs in a new session is created (and persisted in the model). The identity cookie as well as all tokens/refresh-tokens are associated with a session. When a user logs out the session is invalidated (removed from the model), which invalidates the identity cookie and all tokens/refresh-tokens.
>
> There's two related issues left to do:
>
> * Make sure adapters only log out a specific session (if LoginAction contains a session id)
> * Allow a user to log out all sessions through the account management console
>
> Also, we may want some mechanism to retrieve the status of a session from applications. This could be a REST endpoint, or the crazy iframe technique from OpenID Connect. I think this can be postponed to after 1.0 though.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list