[keycloak-dev] Session SPI for adapters
Bill Burke
bburke at redhat.com
Fri Oct 3 11:17:50 EDT 2014
On 10/3/2014 2:38 AM, Stian Thorgersen wrote:
> Let's take a step-back here and consider the problem instead of a potential solution.
>
> Currently we require all applications to have an HTTP session to keep track of the users session as well as storing the tokens. When an application is clustered this requires replicating the HTTP session to all nodes, or using sticky load balancer sessions.
>
> I think it's quite likely that some don't want to have a HTTP session and instead store the token in a cookie to make the application fully stateless. That's simple enough to add right? And storing the token in a http-only cookie should be safe as well. However, one issue remains how do we deal with single-sign out in this case. As there's no state kept in the application a logout admin event from Keycloak isn't going to work. So would be just rely on the access token expiring in this case? Or could we add something better?
>
You don't have to change anything for bearer-only apps. Blacklist and
time-based revocation policies are enough.
For browser apps, the problem is logout. Cookie won't work for logout.
While you could logout one user via a browser redirect protocol,
doesn't work when an admin wants to initiate a logout to one or all
users from the admin console. This is because a logout generates an
out-of-band request to each application. The applications match the
UserSessionModel id with an HTTP Session and invalidate the session. So
the adapter needs a UserSessionModel->HttpSession id map.
Maybe the access code to token protocol could be modified to send the
Http session id? This could be stored in the client session and sent
with the out-of-band logout request.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list