Re: [keycloak-dev] Adding notBefore to user?

What if the user has multiple sessions and only wants to log out of one? On 8/9/17 6:12 AM, Marek Posolda wrote: > I am thinking about adding notBefore to user. It will be updated when > user logouts in Account management or when admin logouts user in admin > console. > > I am thinking about this because in cross-dc environment, it can happen > under some circumstances that particular userSession "123" is not > available in infinispan cache on any Keycloak server, however it's > available on the remoteCache on JDG server. So it can happen that: > - Admin press "Logout all sessions", but session 123 won't be affected > as it's available just on remoteCache > - Someone (attacker) sends refresh token for session 123. It will be > loaded from remoteCache store to Keycloak cache and will be treated as > valid session. > > Do you think it's bad idea to add notBefore to user? There may be some > other ways to mitigate the issue if you think it's bad. > > I am thinking about adding it to separate table, so it's persistent > among server restarts even for users from federated user storages. > Something similar to like consents are saved. WDYT? > > Marek > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev