On 5/9/2014 6:59 AM, Stian Thorgersen wrote:
User sessions have been added. In summary when a user logs in a new
session is created (and persisted in the model). The identity cookie as well as all
tokens/refresh-tokens are associated with a session. When a user logs out the session is
invalidated (removed from the model), which invalidates the identity cookie and all
tokens/refresh-tokens.
There's two related issues left to do:
* Make sure adapters only log out a specific session (if LoginAction contains a session
id)
* Allow a user to log out all sessions through the account management console
Also, we may want some mechanism to retrieve the status of a session from applications.
This could be a REST endpoint, or the crazy iframe technique from OpenID Connect. I think
this can be postponed to after 1.0 though.
The crazy IFrame techique would require this REST "ping". At least for
us, as our cookies would be http-only.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com