[keycloak-dev] Adding notBefore to user?

Bill Burke bburke at redhat.com
Wed Aug 9 14:20:21 EDT 2017 

I think that works then what you are proposing.


On 8/9/17 11:08 AM, Marek Posolda wrote:
> I am thinking that logout of single concrete session won't update 
> notBefore. Just "Logout all sessions" for concrete user will update it 
> for this user. I assume that admin or user usually use "Logout all" if 
> he thinks that something was broken (password compromised, mobile 
> phone steal etc)?
>
> BTV. Admin console has support for logout of single session as well as 
> logout all. However account management has support just for "logout 
> all" ATM. Maybe something useful to add?
>
> Marek
>
> On 09/08/17 16:08, Bill Burke wrote:
>> What if the user has multiple sessions and only wants to log out of one?
>>
>>
>> On 8/9/17 6:12 AM, Marek Posolda wrote:
>>> I am thinking about adding notBefore to user. It will be updated when
>>> user logouts in Account management or when admin logouts user in admin
>>> console.
>>>
>>> I am thinking about this because in cross-dc environment, it can happen
>>> under some circumstances that particular userSession "123" is not
>>> available in infinispan cache on any Keycloak server, however it's
>>> available on the remoteCache on JDG server. So it can happen that:
>>> - Admin press "Logout all sessions", but session 123 won't be affected
>>> as it's available just on remoteCache
>>> - Someone (attacker) sends refresh token for session 123. It will be
>>> loaded from remoteCache store to Keycloak cache and will be treated as
>>> valid session.
>>>
>>> Do you think it's bad idea to add notBefore to user? There may be some
>>> other ways to mitigate the issue if you think it's bad.
>>>
>>> I am thinking about adding it to separate table, so it's persistent
>>> among server restarts even for users from federated user storages.
>>> Something similar to like consents are saved. WDYT?
>>>
>>> Marek
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

More information about the keycloak-dev mailing list