[keycloak-dev] Session SPI for adapters
Stian Thorgersen
stian at redhat.com
Thu Oct 2 04:47:33 EDT 2014
Currently adapters use the HTTP session to manage sessions. This works fine for most, but I believe there's situations when something different is needed. For example for stateless applications. It also doesn't work for bearer-only applications, or oauth clients.
I propose we add a Session SPI to adapters, which allows plugging in a mechanism to manage user sessions. The interface would be something along the lines of:
* void addSession(String userId, String sessionId)
* boolean isSessionValid(String sessionId)
* boolean removeSession(String userId, String sessionId)
We could provide a few built in providers:
* HTTP Session - store in http session as we currently do
* Infinispan - store in an Infinispan cache
* JPA - store in a database
* Keycloak Session Endpoint - we could add a session info endpoint to Keycloak
* None - no session management (relies on expiration of access token to logout users)
Further, we probably need to add some option to enable/disable logout admin events for applications. For example:
* Keycloak Session Endpoint - no need to send logout events
* JPA (or Infinispan) - if multiple applications shares a session database, it's only necessary to send the logout event to one application
Thoughts?
More information about the keycloak-dev
mailing list