[keycloak-dev] Adding notBefore to user?

I am thinking about adding notBefore to user. It will be updated when user logouts in Account management or when admin logouts user in admin console. I am thinking about this because in cross-dc environment, it can happen under some circumstances that particular userSession "123" is not available in infinispan cache on any Keycloak server, however it's available on the remoteCache on JDG server. So it can happen that: - Admin press "Logout all sessions", but session 123 won't be affected as it's available just on remoteCache - Someone (attacker) sends refresh token for session 123. It will be loaded from remoteCache store to Keycloak cache and will be treated as valid session. Do you think it's bad idea to add notBefore to user? There may be some other ways to mitigate the issue if you think it's bad. I am thinking about adding it to separate table, so it's persistent among server restarts even for users from federated user storages. Something similar to like consents are saved. WDYT? Marek