[keycloak-dev] Adding notBefore to user?

Bill Burke bburke at redhat.com
Wed Aug 9 10:08:29 EDT 2017

What if the user has multiple sessions and only wants to log out of one?

On 8/9/17 6:12 AM, Marek Posolda wrote:
> I am thinking about adding notBefore to user. It will be updated when
> user logouts in Account management or when admin logouts user in admin
> console.
> I am thinking about this because in cross-dc environment, it can happen
> under some circumstances that particular userSession "123" is not
> available in infinispan cache on any Keycloak server, however it's
> available on the remoteCache on JDG server. So it can happen that:
> - Admin press "Logout all sessions", but session 123 won't be affected
> as it's available just on remoteCache
> - Someone (attacker) sends refresh token for session 123. It will be
> loaded from remoteCache store to Keycloak cache and will be treated as
> valid session.
> Do you think it's bad idea to add notBefore to user? There may be some
> other ways to mitigate the issue if you think it's bad.
> I am thinking about adding it to separate table, so it's persistent
> among server restarts even for users from federated user storages.
> Something similar to like consents are saved. WDYT?
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list