I am thinking about adding notBefore to user. It will be updated when
user logouts in Account management or when admin logouts user in admin
console.
I am thinking about this because in cross-dc environment, it can happen
under some circumstances that particular userSession "123" is not
available in infinispan cache on any Keycloak server, however it's
available on the remoteCache on JDG server. So it can happen that:
- Admin press "Logout all sessions", but session 123 won't be affected
as it's available just on remoteCache
- Someone (attacker) sends refresh token for session 123. It will be
loaded from remoteCache store to Keycloak cache and will be treated as
valid session.
Do you think it's bad idea to add notBefore to user? There may be some
other ways to mitigate the issue if you think it's bad.
I am thinking about adding it to separate table, so it's persistent
among server restarts even for users from federated user storages.
Something similar to like consents are saved. WDYT?
Marek