We have most of this via a not-before policy you can set at the realm
level, application, client, or user level. No ability yet to view
tokens that have been given out though and which may still be valid.
Only an admin can set the not-before policy right now.
* Make sure all not before policies are checked before login or refresh
* Set UserModel.notBefore when a user does a logout.
* Allow user to invalidate all grants (sets a UserModel.notBefore(now)
Not a priority:
* Allow a user to view and invalidate specific oauth grants. We can
just make it all or nothing. I just think there's higher priority
things to do.
On 4/30/2014 12:17 PM, Stian Thorgersen wrote:
With regards to account management what additional requirements do we
have for beta1?
Features I can think off to add now or in the future includes:
* Manage refresh tokens - view applications and clients that have refresh tokens, and the
ability to invalidate specific tokens
* Manage devices - view browsers and devices that have access (remember me cookie?), and
the ability to invalidate specific cookies
* Manage devices that can bypass totp - it seems to be quite common that it's
possible to not require asking for totp again for a specific device, I assume this is done
by setting a cookie, if we enable this it should be possible to view what devices have
this option, as well as invalidate them
* Manage applications - view all applications, be able to navigate to an application, and
the ability to invalidate access to specific application
* Manage clients - view all clients and what grants they have, and the ability to revoke
access to specific client
I think listing client grants, invalidate specific client grants, and a logout everything
option would be sufficient. The logout everything option would invalidate any refresh
tokens, remember me cookies, 'skip' totp cookies and do a sso-logout.
keycloak-dev mailing list
JBoss, a division of Red Hat