Re: [keycloak-dev] Session SPI for adapters

On 3.10.2014 08:38, Stian Thorgersen wrote: > Let's take a step-back here and consider the problem instead of a potential solution. > > Currently we require all applications to have an HTTP session to keep track of the users session as well as storing the tokens. When an application is clustered this requires replicating the HTTP session to all nodes, or using sticky load balancer sessions. > > I think it's quite likely that some don't want to have a HTTP session and instead store the token in a cookie to make the application fully stateless. That's simple enough to add right? And storing the token in a http-only cookie should be safe as well. However, one issue remains how do we deal with single-sign out in this case. As there's no state kept in the application a logout admin event from Keycloak isn't going to work. So would be just rely on the access token expiring in this case? Or could we add something better? One possibility I can think about is, that adapters would have some option to specify if they are: - statefull (In this case HttpSession is used as is now) - stateless (In this case token stored in the cookie like KEYCLOAK_PRINCIPAL)