[keycloak-dev] oauth clients and session problems
Bill Burke
bburke at redhat.com
Fri May 16 09:48:06 EDT 2014
I think oauth grants are a different animal than application logins.
Applications are part of an SSO session, while oauth grants will
probably not want to be part of an SSO session. Why? If an Oauth grant
requires entering in user credentials, right now, Keycloak will create a
identity cookie. The user might not know in this situation that they
need to logout.
I was thinking that:
1. OAuth Client grant requests should always have a new session created
for them.
2. OAuth client grant requests should not ever set any cookies. Its ok
to use existing cookies for authentication though.
3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
for each oauth client and application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list