Re: [keycloak-dev] Account management requirements for beta1
On 5/1/2014 10:14 AM, Stian Thorgersen wrote:
Yes, it should log out from all applications and clients, but not all
devices.
So logout is really a "device" logout. "Device" being a mobile or
desktop. Logging in creates a "login session" for the device you logged
in with. A logout from that device logs the user of all applications
that device has interacted with.
To confirm, resources to invalidate includes:
* Refresh tokens
* Identity cookie
* Remember-me cookie
Also:
* application http sessions. Which means that we'll have to remember
which application's HTTP sessions correspond to the "login session" of
the device used to access the application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com