[keycloak-dev] Stateless session management pushed

Marek Posolda mposolda at redhat.com
Wed Oct 8 18:02:07 EDT 2014 

Some summary of my changes:

- Added new parameter "http_session_id" to code-to-token request. It's 
not mandatory and used just for AS7/Wildfly adapters. In Keycloak, it's 
saved as note in ClientSessionModel.

- ResourceAdminManager refactored to use the IDs of httpSession, which 
are retrieved from ClientSessions. Removed username and 
keycloakSessionId from LogoutAction

- Adapter statistics removed and everything related to them.

- UndertowUserSessionManagement and CatalinaUserManagement are now fully 
stateless.

- Added new config option to adapters 'always-refresh-token' as we 
discussed. If it's true, then adapter will always send request to 
refresh accessToken during authentication (doesn't apply for bearer 
authentication, just for cookie). In the end I've used this approach 
instead of validating accessToken . It seems to be safer (no window) and 
you are always fine with 1 additional request. This option is useful in 
cluster in case that you have non-distributable sessions. With 
non-distributable it could happen that your user logged on node1, but 
logout request from KC is handled on node2 where httpSession doesn't 
exist. This is no issue with "distributable" sessions as those are 
replicated and hence logout can happen on any node.

- https://issues.jboss.org/browse/KEYCLOAK-741 -- If refreshing token 
fails from adapters, then httpSession is invalidated immediatelly

So clustering on adapters side works well now for both Wildfly & EAP 6.3


Questions & remaining work:

- I am not so happy with logout for apps with non-distributable HTTP 
sessions. It can be handled with 'always-refresh-token' but it's 
performance penalty to always refresh token. The alternative might be to 
send also hostname in code-to-token request. This would help as 
ResourceAdminManager will be able to detect to which node send request 
for invalidate http session. Does it worth adding it?

- Is it ok to have parameter like "http_session_id" or should it be 
instead something more generic like "adapter_session_id" ? I am not sure 
if 'Http Session' is not JEE specific term? I looked at OpenID connect 
and there is no something like this mentioned (In fact OpenID Connect 
doesn't handle single-sign-out)

- Should we add https://issues.jboss.org/browse/KEYCLOAK-702 (Support 
for storing token in cookie instead of HttpSession) or is it ok to leave 
it for later? Note that for logout it will require 
'always-refresh-token' or "hostname" stuff I mentioned above.

thoughts?

Marek

More information about the keycloak-dev mailing list