Re: [keycloak-dev] Idle timeout notificaion

On 6/30/2015 11:00 AM, Stan Silvert wrote: > On 6/30/2015 9:22 AM, Bill Burke wrote: >> On 6/30/2015 8:23 AM, Stan Silvert wrote: >>> On 6/29/2015 8:34 PM, Bill Burke wrote: >>>> On 6/29/2015 5:39 PM, Stan Silvert wrote: >>>>> On 6/29/2015 5:26 PM, Bill Burke wrote: >>>>>> We do need some way to listen at the adapter level for a logout event >>>>>> sent by the auth server. Undertow and Tomcat and Jetty all have ways to >>>>>> listen for session invalidation events I believe too. Not sure if the >>>>>> servlet spec has something standard. >>>>> Yes, the servlet spec has HttpSessionListener with a sessionDestroyed() >>>>> callback. >>>>> >>>>> We could come up with some javascript that you put on the client side >>>>> that registers with the adapter and gets notified of session >>>>> invalidation. I'm just wondering if it's something we should provide or >>>>> not. >>>> Javascript adapter already checks for logout. >>>> >>> What would you suggest for apps that use the other adapters? >> They should use regular servlet means to timeout the session. >> > That's not what I'm asking about. I'm asking if we should provide a > standard callback to the client when the timeout occurs. > > The client wants to provide a notification to the user about the session > timeout. Right now, it is up to each application to build their own > infrastructure for doing that. For a servlet app, this "infrastructure" already exists. As you said before, you can set up an HttpSessionListener. For a javascript app, our javascript adapter already handles this.

> But we could provide an out of the box > solution that works for the entire realm. What we would need is a > standard way for the client to register a callback with our adapters. > Or it could register the callback with the Keycloak server. (Or a > heartbeat instead of a callback. There are many ways to do this.) > > The main point is that Keycloak could provide a realm-wide solution. > That's what the customer is wanting. Our background session expiration task currently just wipes away the sessions in Keycloak server. If it was changed to performing a backchannel logout, then the adapters would always get notified and again, the app developer can just implement an HttpSessionListener.