9:14 a.m.
Yes, it should log out from all applications and clients, but not all devices.
To confirm, resources to invalidate includes:
* Refresh tokens
* Identity cookie
* Remember-me cookie
What about when a user logs in we create a unique "login-code" for that device
that is stored in the identity cookie. All refresh tokens and remember-me cookies are then
associated with this code as well. A UserModel would have a list of valid
"login-codes", and on a standard logout the "login-code" from the
current identity cookie would be removed from the UserModel. This would invalidate all
refresh tokens and cookies created for that particular device/browser.
In account management we'd have an additional option to log out everything. Doing this
would set the notBefore on the UserModel to "now", as well as remove all
"login-codes". This would invalidate all current refresh tokens and cookies for
all devices/browsers.
With regards to OAuth Grants, as we don't currently remember what grants a user has
given to a client I don't think we need to add anything in account management for it.
Once we remember grants then we should also allow users to view and revoke grants.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 1 May, 2014 2:58:43 PM
Subject: Re: [keycloak-dev] Account management requirements for beta1
How do you propose single logout works then? You want single log out to
be a single click, not a questionaire on which apps to log out of.
On 5/1/2014 9:12 AM, Stian Thorgersen wrote:
> That's pretty rubbish though. Say I've got a desktop, a laptop and a
> mobile, and they're all logged-in with a remember-me cookie. Then I use a
> friends or a library computer, and after I've clicked logout there I'm
> logged out everywhere. That's really annoying, especially for mobiles.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 1 May, 2014 2:05:28 PM
>> Subject: Re: [keycloak-dev] Account management requirements for beta1
>>
>>
>>
>> On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
>>> As long as we have a way for users to invalidate everything in accnt
>>> mngmt
>>> I agree that's sufficient.
>>>
>>> Setting UserModel.notBefore on user logout, would that not invalidation
>>> the
>>> session on other devices/browsers as well?
>>>
>>
>> Yes, for those apps that don't have an HTTP session that can be
>> invalidated, they will eventually have to do a refresh and the refresh
>> token would be invalid which would force a relog.
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com