No, I'm talking about browser-based oauth grant. Where the client
initiating the token request is an oauth client and the user has to
login and go to the oauth grant page.
On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
Are you talking about 'tokens/grants/access'?
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 16 May, 2014 2:48:06 PM
> Subject: [keycloak-dev] oauth clients and session problems
>
> I think oauth grants are a different animal than application logins.
> Applications are part of an SSO session, while oauth grants will
> probably not want to be part of an SSO session. Why? If an Oauth grant
> requires entering in user credentials, right now, Keycloak will create a
> identity cookie. The user might not know in this situation that they
> need to logout.
>
> I was thinking that:
>
> 1. OAuth Client grant requests should always have a new session created
> for them.
> 2. OAuth client grant requests should not ever set any cookies. Its ok
> to use existing cookies for authentication though.
> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
> for each oauth client and application.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com