Re: [keycloak-dev] session_state changed to ClientSession id?

On 2/20/2015 3:22 AM, Stian Thorgersen wrote: > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Thursday, February 19, 2015 8:54:48 PM >> Subject: Re: [keycloak-dev] session_state changed to ClientSession id? >> >> >> >> On 2/19/2015 1:10 AM, Stian Thorgersen wrote: >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: keycloak-dev(a)lists.jboss.org >>>> Sent: Thursday, February 19, 2015 4:25:48 AM >>>> Subject: [keycloak-dev] session_state changed to ClientSession id? >>>> >>>> Can I change the session_state in the access token (and refresh token) >>>> to point to ClientSession id instead? Right now it points to the user >>>> session id. >>> What's the benefits of doing that? >>> >>> It might have some impact on the Infinispan provider. For best performance >>> user sessions should be retrieved by id, which we won't be able to do if >>> we don't have it. >>> >> Access and refresh tokens should be associated with a client session so >> that we can track back an audit. For claim mapping, I'm also allowing >> admins to map client session notes into the token. There might be >> temporary protocol specific information stored there. >> >> I can just add a new client_session claim if needed. > If everything changes to lookup by client session id it should work fine. It would require a bit of tinkering though. > > On a related note would it make sense to create a single client session per client per user session? For example as the admin console doesn't store tokens (and any client using keycloak.js is the same) a new client session is created if a user refreshes the page. > Refreshing the page nor refresh token causes a new client session to be submitted. If a completely different browser is used to visit the app, then yes, there is a different client session. In that case, you still want a new client session to be created because it would be a totally different HttpSession for the client.