This actually helps alot with single log out and the admin console!
On 5/9/2014 9:57 AM, Stian Thorgersen wrote:
Good thing we are slow about different things, otherwise we'd not
manage to do anything ;)
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 9 May, 2014 2:52:20 PM
> Subject: Re: [keycloak-dev] User sessions added
>
> Duh... :) Now its my turn to be slow...
>
> So the iframe solution is a good one :) I'll add it to keycloak.js
>
>
> On 5/9/2014 9:38 AM, Stian Thorgersen wrote:
>> Could we not have a separate session state cookie that is not HttpOnly?
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Sent: Friday, 9 May, 2014 2:36:09 PM
>>> Subject: Re: [keycloak-dev] User sessions added
>>>
>>> That's what I was saying before. There is no benefit in using Iframes
>>> if your login cookies are HttpOnly. Your set timeout is *already*
>>> happening indirectly via refresh tokens.
>>>
>>> The only other benefit might be in that you'd have to enable CORS for
>>> that "ping" request which might be a pain.
>>>
>>> On 5/9/2014 9:10 AM, Stian Thorgersen wrote:
>>>> What then is the benefit of having this iframe compared to just adding
>>>> something like the following to keycloak.js:
>>>>
>>>> setTimeout(function() {
>>>> var req = new XMLHttpRequest();
>>>> req.open('GET',
>>>>
'http://localhost:8080/auth/rest/realms/realm/tokens/session-status?session_state=...',
>>>> true);
>>>> req.onreadystatechange = function () {
>>>> if (req.readyState == 4 && req.status == 200) {
>>>> var status = JSON.parse(req.responseText);
>>>> if (!status.active) {
>>>> clearToken();
>>>> }
>>>> }
>>>> }
>>>> req.send();
>>>> }, 3000);
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>> To: keycloak-dev(a)lists.jboss.org
>>>>> Sent: Friday, 9 May, 2014 1:41:02 PM
>>>>> Subject: Re: [keycloak-dev] User sessions added
>>>>>
>>>>>
>>>>>
>>>>> On 5/9/2014 6:59 AM, Stian Thorgersen wrote:
>>>>>> User sessions have been added. In summary when a user logs in a
new
>>>>>> session
>>>>>> is created (and persisted in the model). The identity cookie as
well as
>>>>>> all tokens/refresh-tokens are associated with a session. When a
user
>>>>>> logs
>>>>>> out the session is invalidated (removed from the model), which
>>>>>> invalidates
>>>>>> the identity cookie and all tokens/refresh-tokens.
>>>>>>
>>>>>> There's two related issues left to do:
>>>>>>
>>>>>> * Make sure adapters only log out a specific session (if
LoginAction
>>>>>> contains a session id)
>>>>>> * Allow a user to log out all sessions through the account
management
>>>>>> console
>>>>>>
>>>>>> Also, we may want some mechanism to retrieve the status of a
session
>>>>>> from
>>>>>> applications. This could be a REST endpoint, or the crazy iframe
>>>>>> technique
>>>>>> from OpenID Connect. I think this can be postponed to after 1.0
though.
>>>>>>
>>>>>
>>>>> The crazy IFrame techique would require this REST "ping".
At least for
>>>>> us, as our cookies would be http-only.
>>>>>
>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>>
http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>>
http://bill.burkecentral.com
>>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>