Thanks for the confirm. Finally added that.
Marek
On 09/08/17 20:20, Bill Burke wrote:
I think that works then what you are proposing.
On 8/9/17 11:08 AM, Marek Posolda wrote:
> I am thinking that logout of single concrete session won't update
> notBefore. Just "Logout all sessions" for concrete user will update
> it for this user. I assume that admin or user usually use "Logout
> all" if he thinks that something was broken (password compromised,
> mobile phone steal etc)?
>
> BTV. Admin console has support for logout of single session as well
> as logout all. However account management has support just for
> "logout all" ATM. Maybe something useful to add?
>
> Marek
>
> On 09/08/17 16:08, Bill Burke wrote:
>> What if the user has multiple sessions and only wants to log out of
>> one?
>>
>>
>> On 8/9/17 6:12 AM, Marek Posolda wrote:
>>> I am thinking about adding notBefore to user. It will be updated when
>>> user logouts in Account management or when admin logouts user in admin
>>> console.
>>>
>>> I am thinking about this because in cross-dc environment, it can
>>> happen
>>> under some circumstances that particular userSession "123" is not
>>> available in infinispan cache on any Keycloak server, however it's
>>> available on the remoteCache on JDG server. So it can happen that:
>>> - Admin press "Logout all sessions", but session 123 won't be
affected
>>> as it's available just on remoteCache
>>> - Someone (attacker) sends refresh token for session 123. It will be
>>> loaded from remoteCache store to Keycloak cache and will be treated as
>>> valid session.
>>>
>>> Do you think it's bad idea to add notBefore to user? There may be some
>>> other ways to mitigate the issue if you think it's bad.
>>>
>>> I am thinking about adding it to separate table, so it's persistent
>>> among server restarts even for users from federated user storages.
>>> Something similar to like consents are saved. WDYT?
>>>
>>> Marek
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>