Re: [keycloak-dev] Session SPI for adapters
On 10/2/2014 4:47 AM, Stian Thorgersen wrote:
Currently adapters use the HTTP session to manage sessions. This
works fine for most, but I believe there's situations when something different is
needed. For example for stateless applications. It also doesn't work for bearer-only
applications, or oauth clients.
What doesn't work for bearer only applications? It works fine. Bearer
is completely stateless already and doesn't rely on the HTTP Session for
anything.
I propose we add a Session SPI to adapters, which allows plugging in
a mechanism to manage user sessions. The interface would be something along the lines of:
* void addSession(String userId, String sessionId)
* boolean isSessionValid(String sessionId)
* boolean removeSession(String userId, String sessionId)
We already have something. JBossWeb session mgmt API != Undertow
session mgmt so there is already an abstraction.
We could provide a few built in providers:
* HTTP Session - store in http session as we currently do
* Infinispan - store in an Infinispan cache
* JPA - store in a database
* Keycloak Session Endpoint - we could add a session info endpoint to Keycloak
* None - no session management (relies on expiration of access token to logout users)
I'm not convinced at all we need this. We shouldn't be reimplementing
Http session replication as it was already done years and years ago...
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com