Re: [keycloak-dev] Account management requirements for beta1
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 1 May, 2014 4:30:08 PM
Subject: Re: [keycloak-dev] Account management requirements for beta1
On 5/1/2014 10:14 AM, Stian Thorgersen wrote:
> Yes, it should log out from all applications and clients, but not all
> devices.
>
So logout is really a "device" logout. "Device" being a mobile or
desktop. Logging in creates a "login session" for the device you logged
in with. A logout from that device logs the user of all applications
that device has interacted with.
Yep, if a user wants to logout from all devices they have to do so explicitly through the
account management console. We could also support this as a query param to the logout url
(/tokens/logout?logout_all)?
> To confirm, resources to invalidate includes:
>
> * Refresh tokens
> * Identity cookie
> * Remember-me cookie
Also:
* application http sessions. Which means that we'll have to remember
which application's HTTP sessions correspond to the "login session" of
the device used to access the application.
I assume this is the http sessions for the adapters, and not Keycloak itself? We could do
this by adding the 'login session' id to the token?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com