In that case I'm not convinced. I'd expect all 'clients' to be logged out
when I logout of the SSO realm. Unless I've explicitly granted the client offline
access (something we don't really support atm).
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 16 May, 2014 4:09:00 PM
Subject: Re: [keycloak-dev] oauth clients and session problems
No, I'm talking about browser-based oauth grant. Where the client
initiating the token request is an oauth client and the user has to
login and go to the oauth grant page.
On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
> Are you talking about 'tokens/grants/access'?
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 16 May, 2014 2:48:06 PM
>> Subject: [keycloak-dev] oauth clients and session problems
>>
>> I think oauth grants are a different animal than application logins.
>> Applications are part of an SSO session, while oauth grants will
>> probably not want to be part of an SSO session. Why? If an Oauth grant
>> requires entering in user credentials, right now, Keycloak will create a
>> identity cookie. The user might not know in this situation that they
>> need to logout.
>>
>> I was thinking that:
>>
>> 1. OAuth Client grant requests should always have a new session created
>> for them.
>> 2. OAuth client grant requests should not ever set any cookies. Its ok
>> to use existing cookies for authentication though.
>> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
>> for each oauth client and application.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com