Re: [keycloak-dev] User sessions added

What then is the benefit of having this iframe compared to just adding something like the following to keycloak.js: setTimeout(function() { var req = new XMLHttpRequest(); req.open('GET', 'http://localhost:8080/auth/rest/realms/realm/tokens/session-status?session_state=...', true); req.onreadystatechange = function () { if (req.readyState == 4 && req.status == 200) { var status = JSON.parse(req.responseText); if (!status.active) { clearToken(); } } } req.send(); }, 3000); ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-dev(a)lists.jboss.org > Sent: Friday, 9 May, 2014 1:41:02 PM > Subject: Re: [keycloak-dev] User sessions added > > > > On 5/9/2014 6:59 AM, Stian Thorgersen wrote: >> User sessions have been added. In summary when a user logs in a new session >> is created (and persisted in the model). The identity cookie as well as >> all tokens/refresh-tokens are associated with a session. When a user logs >> out the session is invalidated (removed from the model), which invalidates >> the identity cookie and all tokens/refresh-tokens. >> >> There's two related issues left to do: >> >> * Make sure adapters only log out a specific session (if LoginAction >> contains a session id) >> * Allow a user to log out all sessions through the account management >> console >> >> Also, we may want some mechanism to retrieve the status of a session from >> applications. This could be a REST endpoint, or the crazy iframe technique >> from OpenID Connect. I think this can be postponed to after 1.0 though. >> > > The crazy IFrame techique would require this REST "ping". At least for > us, as our cookies would be http-only. > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >