[keycloak-dev] Session SPI for adapters
Bill Burke
bburke at redhat.com
Thu Oct 2 09:01:53 EDT 2014
On 10/2/2014 4:47 AM, Stian Thorgersen wrote:
> Currently adapters use the HTTP session to manage sessions. This works fine for most, but I believe there's situations when something different is needed. For example for stateless applications. It also doesn't work for bearer-only applications, or oauth clients.
>
What doesn't work for bearer only applications? It works fine. Bearer
is completely stateless already and doesn't rely on the HTTP Session for
anything.
> I propose we add a Session SPI to adapters, which allows plugging in a mechanism to manage user sessions. The interface would be something along the lines of:
>
> * void addSession(String userId, String sessionId)
> * boolean isSessionValid(String sessionId)
> * boolean removeSession(String userId, String sessionId)
>
We already have something. JBossWeb session mgmt API != Undertow
session mgmt so there is already an abstraction.
> We could provide a few built in providers:
>
> * HTTP Session - store in http session as we currently do
> * Infinispan - store in an Infinispan cache
> * JPA - store in a database
> * Keycloak Session Endpoint - we could add a session info endpoint to Keycloak
> * None - no session management (relies on expiration of access token to logout users)
>
I'm not convinced at all we need this. We shouldn't be reimplementing
Http session replication as it was already done years and years ago...
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list