[keycloak-dev] session_state changed to ClientSession id?

Bill Burke bburke at redhat.com
Fri Feb 20 07:48:09 EST 2015 


On 2/20/2015 3:22 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, February 19, 2015 8:54:48 PM
>> Subject: Re: [keycloak-dev] session_state changed to ClientSession id?
>>
>>
>>
>> On 2/19/2015 1:10 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Thursday, February 19, 2015 4:25:48 AM
>>>> Subject: [keycloak-dev] session_state changed to ClientSession id?
>>>>
>>>> Can I change the session_state in the access token (and refresh token)
>>>> to point to ClientSession id instead?  Right now it points to the user
>>>> session id.
>>>
>>> What's the benefits of doing that?
>>>
>>> It might have some impact on the Infinispan provider. For best performance
>>> user sessions should be retrieved by id, which we won't be able to do if
>>> we don't have it.
>>>
>>
>> Access and refresh tokens should be associated with a client session so
>> that we can track back an audit.  For claim mapping, I'm also allowing
>> admins to map client session notes into the token.  There might be
>> temporary protocol specific information stored there.
>>
>> I can just add a new client_session claim if needed.
>
> If everything changes to lookup by client session id it should work fine. It would require a bit of tinkering though.
>
> On a related note would it make sense to create a single client session per client per user session? For example as the admin console doesn't store tokens (and any client using keycloak.js is the same) a new client session is created if a user refreshes the page.
>

Refreshing the page nor refresh token causes a new client session to be 
submitted.  If a completely different browser is used to visit the app, 
then yes, there is a different client session.  In that case, you still 
want a new client session to be created because it would be a totally 
different HttpSession for the client.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list