I am thinking that logout of single concrete session won't update
notBefore. Just "Logout all sessions" for concrete user will update it
for this user. I assume that admin or user usually use "Logout all" if
he thinks that something was broken (password compromised, mobile phone
steal etc)?
BTV. Admin console has support for logout of single session as well as
logout all. However account management has support just for "logout all"
ATM. Maybe something useful to add?
Marek
On 09/08/17 16:08, Bill Burke wrote:
What if the user has multiple sessions and only wants to log out of
one?
On 8/9/17 6:12 AM, Marek Posolda wrote:
> I am thinking about adding notBefore to user. It will be updated when
> user logouts in Account management or when admin logouts user in admin
> console.
>
> I am thinking about this because in cross-dc environment, it can happen
> under some circumstances that particular userSession "123" is not
> available in infinispan cache on any Keycloak server, however it's
> available on the remoteCache on JDG server. So it can happen that:
> - Admin press "Logout all sessions", but session 123 won't be affected
> as it's available just on remoteCache
> - Someone (attacker) sends refresh token for session 123. It will be
> loaded from remoteCache store to Keycloak cache and will be treated as
> valid session.
>
> Do you think it's bad idea to add notBefore to user? There may be some
> other ways to mitigate the issue if you think it's bad.
>
> I am thinking about adding it to separate table, so it's persistent
> among server restarts even for users from federated user storages.
> Something similar to like consents are saved. WDYT?
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev