How do you propose single logout works then? You want single log out to
be a single click, not a questionaire on which apps to log out of.
On 5/1/2014 9:12 AM, Stian Thorgersen wrote:
That's pretty rubbish though. Say I've got a desktop, a
laptop and a mobile, and they're all logged-in with a remember-me cookie. Then I use a
friends or a library computer, and after I've clicked logout there I'm logged out
everywhere. That's really annoying, especially for mobiles.
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 1 May, 2014 2:05:28 PM
> Subject: Re: [keycloak-dev] Account management requirements for beta1
>
>
>
> On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
>> As long as we have a way for users to invalidate everything in accnt mngmt
>> I agree that's sufficient.
>>
>> Setting UserModel.notBefore on user logout, would that not invalidation the
>> session on other devices/browsers as well?
>>
>
> Yes, for those apps that don't have an HTTP session that can be
> invalidated, they will eventually have to do a refresh and the refresh
> token would be invalid which would force a relog.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com