Re: [keycloak-dev] User sessions added

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, 9 May, 2014 2:52:20 PM Subject: Re: [keycloak-dev] User sessions added Duh... :) Now its my turn to be slow... So the iframe solution is a good one :) I'll add it to keycloak.js On 5/9/2014 9:38 AM, Stian Thorgersen wrote: > Could we not have a separate session state cookie that is not HttpOnly? > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Friday, 9 May, 2014 2:36:09 PM >> Subject: Re: [keycloak-dev] User sessions added >> >> That's what I was saying before. There is no benefit in using Iframes >> if your login cookies are HttpOnly. Your set timeout is *already* >> happening indirectly via refresh tokens. >> >> The only other benefit might be in that you'd have to enable CORS for >> that "ping" request which might be a pain. >> >> On 5/9/2014 9:10 AM, Stian Thorgersen wrote: >>> What then is the benefit of having this iframe compared to just adding >>> something like the following to keycloak.js: >>> >>> setTimeout(function() { >>> var req = new XMLHttpRequest(); >>> req.open('GET', >>> 'http://localhost:8080/auth/rest/realms/realm/tokens/session-status?session_state=...', >>> true); >>> req.onreadystatechange = function () { >>> if (req.readyState == 4 && req.status == 200) { >>> var status = JSON.parse(req.responseText); >>> if (!status.active) { >>> clearToken(); >>> } >>> } >>> } >>> req.send(); >>> }, 3000); >>> >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: keycloak-dev(a)lists.jboss.org >>>> Sent: Friday, 9 May, 2014 1:41:02 PM >>>> Subject: Re: [keycloak-dev] User sessions added >>>> >>>> >>>> >>>> On 5/9/2014 6:59 AM, Stian Thorgersen wrote: >>>>> User sessions have been added. In summary when a user logs in a new >>>>> session >>>>> is created (and persisted in the model). The identity cookie as well as >>>>> all tokens/refresh-tokens are associated with a session. When a user >>>>> logs >>>>> out the session is invalidated (removed from the model), which >>>>> invalidates >>>>> the identity cookie and all tokens/refresh-tokens. >>>>> >>>>> There's two related issues left to do: >>>>> >>>>> * Make sure adapters only log out a specific session (if LoginAction >>>>> contains a session id) >>>>> * Allow a user to log out all sessions through the account management >>>>> console >>>>> >>>>> Also, we may want some mechanism to retrieve the status of a session >>>>> from >>>>> applications. This could be a REST endpoint, or the crazy iframe >>>>> technique >>>>> from OpenID Connect. I think this can be postponed to after 1.0 though. >>>>> >>>> >>>> The crazy IFrame techique would require this REST "ping". At least for >>>> us, as our cookies would be http-only. >>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com