Re: [keycloak-dev] Session SPI for adapters

From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Thursday, 2 October, 2014 3:01:53 PM Subject: Re: [keycloak-dev] Session SPI for adapters On 10/2/2014 4:47 AM, Stian Thorgersen wrote: > Currently adapters use the HTTP session to manage sessions. This works fine > for most, but I believe there's situations when something different is > needed. For example for stateless applications. It also doesn't work for > bearer-only applications, or oauth clients. > What doesn't work for bearer only applications? It works fine. Bearer is completely stateless already and doesn't rely on the HTTP Session for anything.

> I propose we add a Session SPI to adapters, which allows plugging in a > mechanism to manage user sessions. The interface would be something along > the lines of: > > * void addSession(String userId, String sessionId) > * boolean isSessionValid(String sessionId) > * boolean removeSession(String userId, String sessionId) > We already have something. JBossWeb session mgmt API != Undertow session mgmt so there is already an abstraction. > We could provide a few built in providers: > > * HTTP Session - store in http session as we currently do > * Infinispan - store in an Infinispan cache > * JPA - store in a database > * Keycloak Session Endpoint - we could add a session info endpoint to > Keycloak > * None - no session management (relies on expiration of access token to > logout users) > I'm not convinced at all we need this. We shouldn't be reimplementing Http session replication as it was already done years and years ago...

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev