[keycloak-dev] Session SPI for adapters

Currently adapters use the HTTP session to manage sessions. This works fine for most, but I believe there's situations when something different is needed. For example for stateless applications. It also doesn't work for bearer-only applications, or oauth clients. I propose we add a Session SPI to adapters, which allows plugging in a mechanism to manage user sessions. The interface would be something along the lines of: * void addSession(String userId, String sessionId) * boolean isSessionValid(String sessionId) * boolean removeSession(String userId, String sessionId) We could provide a few built in providers: * HTTP Session - store in http session as we currently do * Infinispan - store in an Infinispan cache * JPA - store in a database * Keycloak Session Endpoint - we could add a session info endpoint to Keycloak * None - no session management (relies on expiration of access token to logout users) Further, we probably need to add some option to enable/disable logout admin events for applications. For example: * Keycloak Session Endpoint - no need to send logout events * JPA (or Infinispan) - if multiple applications shares a session database, it's only necessary to send the logout event to one application Thoughts?