That's pretty rubbish though. Say I've got a desktop, a laptop and a mobile, and
they're all logged-in with a remember-me cookie. Then I use a friends or a library
computer, and after I've clicked logout there I'm logged out everywhere.
That's really annoying, especially for mobiles.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 1 May, 2014 2:05:28 PM
Subject: Re: [keycloak-dev] Account management requirements for beta1
On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
> As long as we have a way for users to invalidate everything in accnt mngmt
> I agree that's sufficient.
>
> Setting UserModel.notBefore on user logout, would that not invalidation the
> session on other devices/browsers as well?
>
Yes, for those apps that don't have an HTTP session that can be
invalidated, they will eventually have to do a refresh and the refresh
token would be invalid which would force a relog.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com