On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
As long as we have a way for users to invalidate everything in accnt
mngmt I agree that's sufficient.
Setting UserModel.notBefore on user logout, would that not invalidation the session on
other devices/browsers as well?
Yes, for those apps that don't have an HTTP session that can be
invalidated, they will eventually have to do a refresh and the refresh
token would be invalid which would force a relog.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com