Good morning Stian,
Is the revocation of the refresh token[1][2] also planned?
[1] -
As we didn't have enough things to do last minute I come up with
more things which I think we should do for 1.0.final:
1. Configure JPA through keycloak-server.json instead of persistence.xml
This would be super simple to do, and would let us have a single persistence.xml for
everything (testsuite, server, project-integrations). Everything worthy of configuring in
persistence.xml (including datasource) can be passed in the Map overrides when creating
the EntityManagerFactory.
2. Introduce server-dependencies-min and server-dependencies-all poms
We have a few places that includes all the dependencies required (server,
testsuite/integration and testsuite/) as well as other project such as AeroGear and
LiveOak. Instead of everyone having to list all the dependencies they could have a single
dependency on either server-dependencies-min or server-dependencies-all. Min would exclude
most if not all provider implementations (such as PicketLink/LDAP, social providers,
etc).
3. TOTP SPI
At the moment we only support Google Authenticator, I don't think that's
sufficient. We should at the very least add support for one more, and have an SPI so users
can add their own. I think this would be related to the UserProvider sync work, as some
UserProvider implementations may require both a password and totp to verify a users
credentials, while others would only be able to verify the password and then have Keycloak
verify the totp.
Also, do we need to support users with more than one totp? Personally I have two for work
(one I use daily and another for backup).
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev