[keycloak-dev] Idle timeout notificaion

Bill Burke bburke at redhat.com
Tue Jun 30 13:42:41 EDT 2015 


On 6/30/2015 11:00 AM, Stan Silvert wrote:
> On 6/30/2015 9:22 AM, Bill Burke wrote:
>>
>> On 6/30/2015 8:23 AM, Stan Silvert wrote:
>>> On 6/29/2015 8:34 PM, Bill Burke wrote:
>>>> On 6/29/2015 5:39 PM, Stan Silvert wrote:
>>>>> On 6/29/2015 5:26 PM, Bill Burke wrote:
>>>>>> We do need some way to listen at the adapter level for a logout event
>>>>>> sent by the auth server.  Undertow and Tomcat and Jetty all have ways to
>>>>>> listen for session invalidation events I believe too.  Not sure if the
>>>>>> servlet spec has something standard.
>>>>> Yes, the servlet spec has HttpSessionListener with a sessionDestroyed()
>>>>> callback.
>>>>>
>>>>> We could come up with some javascript that you put on the client side
>>>>> that registers with the adapter and gets notified of session
>>>>> invalidation.  I'm just wondering if it's something we should provide or
>>>>> not.
>>>> Javascript adapter already checks for logout.
>>>>
>>> What would you suggest for apps that use the other adapters?
>> They should use regular servlet means to timeout the session.
>>
> That's not what I'm asking about.  I'm asking if we should provide a
> standard callback to the client when the timeout occurs.
>
> The client wants to provide a notification to the user about the session
> timeout.  Right now, it is up to each application to build their own
> infrastructure for doing that.

For a servlet app, this "infrastructure" already exists.  As you said 
before, you can set up an HttpSessionListener.  For a javascript app, 
our javascript adapter already handles this.

>  But we could provide an out of the box
> solution that works for the entire realm.  What we would need is a
> standard way for the client to register a callback with our adapters.
> Or it could register the callback with the Keycloak server.  (Or a
> heartbeat instead of a callback.  There are many ways to do this.)
>
> The main point is that Keycloak could provide a realm-wide solution.
> That's what the customer is wanting.

Our background session expiration task currently just wipes away the 
sessions in Keycloak server.  If it was changed to performing a 
backchannel logout, then the adapters would always get notified and 
again, the app developer can just implement an HttpSessionListener.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list