[keycloak-dev] oauth clients and session problems
Bill Burke
bburke at redhat.com
Fri May 16 11:09:00 EDT 2014
No, I'm talking about browser-based oauth grant. Where the client
initiating the token request is an oauth client and the user has to
login and go to the oauth grant page.
On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
> Are you talking about 'tokens/grants/access'?
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Friday, 16 May, 2014 2:48:06 PM
>> Subject: [keycloak-dev] oauth clients and session problems
>>
>> I think oauth grants are a different animal than application logins.
>> Applications are part of an SSO session, while oauth grants will
>> probably not want to be part of an SSO session. Why? If an Oauth grant
>> requires entering in user credentials, right now, Keycloak will create a
>> identity cookie. The user might not know in this situation that they
>> need to logout.
>>
>> I was thinking that:
>>
>> 1. OAuth Client grant requests should always have a new session created
>> for them.
>> 2. OAuth client grant requests should not ever set any cookies. Its ok
>> to use existing cookies for authentication though.
>> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
>> for each oauth client and application.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list