As long as we have a way for users to invalidate everything in accnt mngmt I agree
that's sufficient.
Setting UserModel.notBefore on user logout, would that not invalidation the session on
other devices/browsers as well?
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 30 April, 2014 7:24:01 PM
Subject: Re: [keycloak-dev] Account management requirements for beta1
We have most of this via a not-before policy you can set at the realm
level, application, client, or user level. No ability yet to view
tokens that have been given out though and which may still be valid.
Only an admin can set the not-before policy right now.
Tasks:
* Make sure all not before policies are checked before login or refresh
* Set UserModel.notBefore when a user does a logout.
* Allow user to invalidate all grants (sets a UserModel.notBefore(now)
policy)
Not a priority:
* Allow a user to view and invalidate specific oauth grants. We can
just make it all or nothing. I just think there's higher priority
things to do.
On 4/30/2014 12:17 PM, Stian Thorgersen wrote:
> With regards to account management what additional requirements do we have
> for beta1?
>
> Features I can think off to add now or in the future includes:
>
> * Manage refresh tokens - view applications and clients that have refresh
> tokens, and the ability to invalidate specific tokens
> * Manage devices - view browsers and devices that have access (remember me
> cookie?), and the ability to invalidate specific cookies
> * Manage devices that can bypass totp - it seems to be quite common that
> it's possible to not require asking for totp again for a specific device,
> I assume this is done by setting a cookie, if we enable this it should be
> possible to view what devices have this option, as well as invalidate them
> * Manage applications - view all applications, be able to navigate to an
> application, and the ability to invalidate access to specific application
> * Manage clients - view all clients and what grants they have, and the
> ability to revoke access to specific client
>
> I think listing client grants, invalidate specific client grants, and a
> logout everything option would be sufficient. The logout everything option
> would invalidate any refresh tokens, remember me cookies, 'skip' totp
> cookies and do a sso-logout.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev