On Wed, Jun 6, 2018 at 8:28 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
On 5 June 2018 at 22:13, Marek Posolda <mposolda(a)redhat.com>
wrote:
> Hi,
>
> when you click on tab "Sessions", you can see the screen with the:
> - counts of Active Sessions
> - counts of Offline Sessions
> - Button "Logout All"
>
> See the screenshot how the screen currently looks like:
>
https://pasteboard.co/HowNZ2I.png
>
> We have the JIRA
https://issues.jboss.org/browse/KEYCLOAK-7055 and the
> PR with the discussion
https://github.com/keycloak/keycloak/pull/5126 .
> In shortcut, JIRA and PR points few issues:
> 1) There is no way to logout all active sessions only (Keep the offline
> sessions)
>
> 2) There is no way to logout all offline sessions only (Keep the active
> sessions)
>
> 3) When you click on the button, there is no confirmation dialog. It
> seems that "Logout all" is quite an important step and confirmation
> should be there.
>
> 4) When you click on the button, it will do something between. All
> active sessions are cleared from infinispan, but offline sessions are
> NOT cleared. There is just realm notBefore policy updated, which
> indirectly invalidates the offline sessions, but they are still kept in
> infinispan and DB, which itself is a bug IMO.
>
> So how to address all the issues? I can see something like this:
> - Instead of 1 button, have 3 buttons (Logout all active sessions,
> Logout all offline sessions, Logout all)
>
Sounds good, but might look a bit messy with those long labels and 3
buttons. Do we need 3 buttons? Or is "Logout active" and "Logout
offline"
sufficient? Do we have a better term for non-offline than active?
>
> - All the buttons will display confirmation dialog
>
+1
>
> - The "Logout all" will also update notBefore policy like it's done
now.
> It will clear all the "Active" and "Offline" sessions from
infinispan.
> This will be displayed in the confirmation dialog. So confirmation for
> "Logout all" will be like: "Do you want to logout all active
sessions
> and offline sessions and update realm notBefore policy?" The other 2
> buttons won't update not-before policy (we can't do that unless we have
> separate not-before for active sessions and for offline sessions, but I
> vote to not do that considering the required complexity of this).
>
Should it also clear sessions from the DB?
>
> - The message for "Logout all" will be sent to all the clients with
> adminUrl (which is already done).
>
> One related issue is, that currently we don't have a way to notify
> client applications that offline sessions were invalidated. I was
> thinking if we could have a way to register some listener for various
> adapter events (Logout all, logout all active/offline sessions, logout
> single active/offline session)? Client application can listen to the
> events and do something (EG. remove saved offline token from it's DB).
>
I'm not to keen on more bespoke logout protocols. Have we studied the OIDC
backchannel/frontchannel specs yet? Is there a way to do this in a standard
way?
Apparently even the spec is not clear about this, the suggest that they
should be a "signal" (a particular claim ?) to indicate if the offline
should be revoked as well.
"Refresh tokens issued with the offline_access property normally SHOULD NOT
be revoked. NOTE: An open issue for the specification is whether to define
an additional optional parameter in the logout token, probably as a value
in the event-specific parameters JSON object, that explicitly signals that
offline_access refresh tokens are also to be revoked."
http://openid.net/specs/openid-connect-backchannel-1_0.html#Backchannel
BTW , are we currently using a Logout Token as specified in the specs ?
>
> WDYT?
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev