1:28 a.m.
On 5 June 2018 at 22:13, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi,
when you click on tab "Sessions", you can see the screen with the:
- counts of Active Sessions
- counts of Offline Sessions
- Button "Logout All"
See the screenshot how the screen currently looks like:
https://pasteboard.co/HowNZ2I.png
We have the JIRA https://issues.jboss.org/browse/KEYCLOAK-7055 and the
PR with the discussion https://github.com/keycloak/keycloak/pull/5126 .
In shortcut, JIRA and PR points few issues:
1) There is no way to logout all active sessions only (Keep the offline
sessions)
2) There is no way to logout all offline sessions only (Keep the active
sessions)
3) When you click on the button, there is no confirmation dialog. It
seems that "Logout all" is quite an important step and confirmation
should be there.
4) When you click on the button, it will do something between. All
active sessions are cleared from infinispan, but offline sessions are
NOT cleared. There is just realm notBefore policy updated, which
indirectly invalidates the offline sessions, but they are still kept in
infinispan and DB, which itself is a bug IMO.
So how to address all the issues? I can see something like this:
- Instead of 1 button, have 3 buttons (Logout all active sessions,
Logout all offline sessions, Logout all)
Sounds good, but might look a bit messy with those long labels and 3
buttons. Do we need 3 buttons? Or is "Logout active" and "Logout
offline"
sufficient? Do we have a better term for non-offline than active?
- All the buttons will display confirmation dialog
+1
- The "Logout all" will also update notBefore policy like it's done now.
It will clear all the "Active" and "Offline" sessions from
infinispan.
This will be displayed in the confirmation dialog. So confirmation for
"Logout all" will be like: "Do you want to logout all active sessions
and offline sessions and update realm notBefore policy?" The other 2
buttons won't update not-before policy (we can't do that unless we have
separate not-before for active sessions and for offline sessions, but I
vote to not do that considering the required complexity of this).
Should it also clear sessions from the DB?
- The message for "Logout all" will be sent to all the clients with
adminUrl (which is already done).
One related issue is, that currently we don't have a way to notify
client applications that offline sessions were invalidated. I was
thinking if we could have a way to register some listener for various
adapter events (Logout all, logout all active/offline sessions, logout
single active/offline session)? Client application can listen to the
events and do something (EG. remove saved offline token from it's DB).
I'm not to keen on more bespoke logout protocols. Have we studied the OIDC
backchannel/frontchannel specs yet? Is there a way to do this in a standard
way?
WDYT?
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev