It is mitigated somewhat as when a logout happens I set a
UserModel.notBefore setting. So refresh tokens will be invalidated.
But there is a window between when the logout occurs and when the access
On 3/27/2014 12:53 PM, Stian Thorgersen wrote:
Single-Sign Out is also an issue with other types of
"public" clients such a mobile apps, and oauth clients.
I'll have a look once I get the first round of audit work completed.
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 27 March, 2014 4:36:02 PM
> Subject: [keycloak-dev] logout for keycloak.js
> This may be useful:
> Bill Burke
> JBoss, a division of Red Hat
> keycloak-dev mailing list
JBoss, a division of Red Hat