Re: [keycloak-dev] Session SPI for adapters

From: "Marek Posolda" <mposolda(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-dev(a)lists.jboss.org Sent: Sunday, 5 October, 2014 11:04:10 PM Subject: Re: [keycloak-dev] Session SPI for adapters On 3.10.2014 17:27, Bill Burke wrote: > > On 10/3/2014 6:30 AM, Marek Posolda wrote: >> On 3.10.2014 08:38, Stian Thorgersen wrote: >>> Let's take a step-back here and consider the problem instead of a >>> potential solution. >>> >>> Currently we require all applications to have an HTTP session to keep >>> track of the users session as well as storing the tokens. When an >>> application is clustered this requires replicating the HTTP session to >>> all nodes, or using sticky load balancer sessions. >>> >>> I think it's quite likely that some don't want to have a HTTP session and >>> instead store the token in a cookie to make the application fully >>> stateless. That's simple enough to add right? And storing the token in a >>> http-only cookie should be safe as well. However, one issue remains how >>> do we deal with single-sign out in this case. As there's no state kept >>> in the application a logout admin event from Keycloak isn't going to >>> work. So would be just rely on the access token expiring in this case? >>> Or could we add something better? >> One possibility I can think about is, that adapters would have some >> option to specify if they are: >> - statefull (In this case HttpSession is used as is now) >> - stateless (In this case token stored in the cookie like >> KEYCLOAK_PRINCIPAL) >> > Stateless browser apps could also just be configured to override token > timeouts. Either: > > a) Refresh the access token on every request > b) Do a shorter token timeout. > Ok, (b) is already possible. For (a) we can add option to adapters?

_______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev