On 5/1/2014 2:17 PM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 1 May, 2014 4:30:08 PM
> Subject: Re: [keycloak-dev] Account management requirements for beta1
>
>
>
> On 5/1/2014 10:14 AM, Stian Thorgersen wrote:
>> Yes, it should log out from all applications and clients, but not all
>> devices.
>>
>
> So logout is really a "device" logout. "Device" being a mobile
or
> desktop. Logging in creates a "login session" for the device you logged
> in with. A logout from that device logs the user of all applications
> that device has interacted with.
Yep, if a user wants to logout from all devices they have to do so explicitly through the
account management console. We could also support this as a query param to the logout url
(/tokens/logout?logout_all)?
Cookie should have the login-session information already.
>
>
>> To confirm, resources to invalidate includes:
>>
>> * Refresh tokens
>> * Identity cookie
>> * Remember-me cookie
>
> Also:
>
> * application http sessions. Which means that we'll have to remember
> which application's HTTP sessions correspond to the "login session" of
> the device used to access the application.
I assume this is the http sessions for the adapters, and not Keycloak itself? We could do
this by adding the 'login session' id to the token?
Invalidating an http session requires a callback from the auth server to
the adapter's server.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com