[keycloak-dev] Adding notBefore to user?
bburke at redhat.com
Wed Aug 9 14:20:21 EDT 2017
I think that works then what you are proposing.
On 8/9/17 11:08 AM, Marek Posolda wrote:
> I am thinking that logout of single concrete session won't update
> notBefore. Just "Logout all sessions" for concrete user will update it
> for this user. I assume that admin or user usually use "Logout all" if
> he thinks that something was broken (password compromised, mobile
> phone steal etc)?
> BTV. Admin console has support for logout of single session as well as
> logout all. However account management has support just for "logout
> all" ATM. Maybe something useful to add?
> On 09/08/17 16:08, Bill Burke wrote:
>> What if the user has multiple sessions and only wants to log out of one?
>> On 8/9/17 6:12 AM, Marek Posolda wrote:
>>> I am thinking about adding notBefore to user. It will be updated when
>>> user logouts in Account management or when admin logouts user in admin
>>> I am thinking about this because in cross-dc environment, it can happen
>>> under some circumstances that particular userSession "123" is not
>>> available in infinispan cache on any Keycloak server, however it's
>>> available on the remoteCache on JDG server. So it can happen that:
>>> - Admin press "Logout all sessions", but session 123 won't be affected
>>> as it's available just on remoteCache
>>> - Someone (attacker) sends refresh token for session 123. It will be
>>> loaded from remoteCache store to Keycloak cache and will be treated as
>>> valid session.
>>> Do you think it's bad idea to add notBefore to user? There may be some
>>> other ways to mitigate the issue if you think it's bad.
>>> I am thinking about adding it to separate table, so it's persistent
>>> among server restarts even for users from federated user storages.
>>> Something similar to like consents are saved. WDYT?
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
More information about the keycloak-dev