11:17 a.m.
With regards to account management what additional requirements do we have for beta1?
Features I can think off to add now or in the future includes:
* Manage refresh tokens - view applications and clients that have refresh tokens, and the
ability to invalidate specific tokens
* Manage devices - view browsers and devices that have access (remember me cookie?), and
the ability to invalidate specific cookies
* Manage devices that can bypass totp - it seems to be quite common that it's possible
to not require asking for totp again for a specific device, I assume this is done by
setting a cookie, if we enable this it should be possible to view what devices have this
option, as well as invalidate them
* Manage applications - view all applications, be able to navigate to an application, and
the ability to invalidate access to specific application
* Manage clients - view all clients and what grants they have, and the ability to revoke
access to specific client
I think listing client grants, invalidate specific client grants, and a logout everything
option would be sufficient. The logout everything option would invalidate any refresh
tokens, remember me cookies, 'skip' totp cookies and do a sso-logout.
1:24 p.m.
We have most of this via a not-before policy you can set at the realm
level, application, client, or user level. No ability yet to view
tokens that have been given out though and which may still be valid.
Only an admin can set the not-before policy right now.
Tasks:
* Make sure all not before policies are checked before login or refresh
* Set UserModel.notBefore when a user does a logout.
* Allow user to invalidate all grants (sets a UserModel.notBefore(now)
policy)
Not a priority:
* Allow a user to view and invalidate specific oauth grants. We can
just make it all or nothing. I just think there's higher priority
things to do.
On 4/30/2014 12:17 PM, Stian Thorgersen wrote:
With regards to account management what additional requirements do we
have for beta1?
Features I can think off to add now or in the future includes:
* Manage refresh tokens - view applications and clients that have refresh tokens, and the
ability to invalidate specific tokens
* Manage devices - view browsers and devices that have access (remember me cookie?), and
the ability to invalidate specific cookies
* Manage devices that can bypass totp - it seems to be quite common that it's
possible to not require asking for totp again for a specific device, I assume this is done
by setting a cookie, if we enable this it should be possible to view what devices have
this option, as well as invalidate them
* Manage applications - view all applications, be able to navigate to an application, and
the ability to invalidate access to specific application
* Manage clients - view all clients and what grants they have, and the ability to revoke
access to specific client
I think listing client grants, invalidate specific client grants, and a logout everything
option would be sufficient. The logout everything option would invalidate any refresh
tokens, remember me cookies, 'skip' totp cookies and do a sso-logout.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:28 a.m.
As long as we have a way for users to invalidate everything in accnt mngmt I agree
that's sufficient.
Setting UserModel.notBefore on user logout, would that not invalidation the session on
other devices/browsers as well?
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 30 April, 2014 7:24:01 PM
Subject: Re: [keycloak-dev] Account management requirements for beta1
We have most of this via a not-before policy you can set at the realm
level, application, client, or user level. No ability yet to view
tokens that have been given out though and which may still be valid.
Only an admin can set the not-before policy right now.
Tasks:
* Make sure all not before policies are checked before login or refresh
* Set UserModel.notBefore when a user does a logout.
* Allow user to invalidate all grants (sets a UserModel.notBefore(now)
policy)
Not a priority:
* Allow a user to view and invalidate specific oauth grants. We can
just make it all or nothing. I just think there's higher priority
things to do.
On 4/30/2014 12:17 PM, Stian Thorgersen wrote:
> With regards to account management what additional requirements do we have
> for beta1?
>
> Features I can think off to add now or in the future includes:
>
> * Manage refresh tokens - view applications and clients that have refresh
> tokens, and the ability to invalidate specific tokens
> * Manage devices - view browsers and devices that have access (remember me
> cookie?), and the ability to invalidate specific cookies
> * Manage devices that can bypass totp - it seems to be quite common that
> it's possible to not require asking for totp again for a specific device,
> I assume this is done by setting a cookie, if we enable this it should be
> possible to view what devices have this option, as well as invalidate them
> * Manage applications - view all applications, be able to navigate to an
> application, and the ability to invalidate access to specific application
> * Manage clients - view all clients and what grants they have, and the
> ability to revoke access to specific client
>
> I think listing client grants, invalidate specific client grants, and a
> logout everything option would be sufficient. The logout everything option
> would invalidate any refresh tokens, remember me cookies, 'skip' totp
> cookies and do a sso-logout.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:05 a.m.
On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
As long as we have a way for users to invalidate everything in accnt
mngmt I agree that's sufficient.
Setting UserModel.notBefore on user logout, would that not invalidation the session on
other devices/browsers as well?
Yes, for those apps that don't have an HTTP session that can be
invalidated, they will eventually have to do a refresh and the refresh
token would be invalid which would force a relog.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:12 a.m.
That's pretty rubbish though. Say I've got a desktop, a laptop and a mobile, and
they're all logged-in with a remember-me cookie. Then I use a friends or a library
computer, and after I've clicked logout there I'm logged out everywhere.
That's really annoying, especially for mobiles.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 1 May, 2014 2:05:28 PM
Subject: Re: [keycloak-dev] Account management requirements for beta1
On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
> As long as we have a way for users to invalidate everything in accnt mngmt
> I agree that's sufficient.
>
> Setting UserModel.notBefore on user logout, would that not invalidation the
> session on other devices/browsers as well?
>
Yes, for those apps that don't have an HTTP session that can be
invalidated, they will eventually have to do a refresh and the refresh
token would be invalid which would force a relog.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:58 a.m.
How do you propose single logout works then? You want single log out to
be a single click, not a questionaire on which apps to log out of.
On 5/1/2014 9:12 AM, Stian Thorgersen wrote:
That's pretty rubbish though. Say I've got a desktop, a
laptop and a mobile, and they're all logged-in with a remember-me cookie. Then I use a
friends or a library computer, and after I've clicked logout there I'm logged out
everywhere. That's really annoying, especially for mobiles.
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 1 May, 2014 2:05:28 PM
> Subject: Re: [keycloak-dev] Account management requirements for beta1
>
>
>
> On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
>> As long as we have a way for users to invalidate everything in accnt mngmt
>> I agree that's sufficient.
>>
>> Setting UserModel.notBefore on user logout, would that not invalidation the
>> session on other devices/browsers as well?
>>
>
> Yes, for those apps that don't have an HTTP session that can be
> invalidated, they will eventually have to do a refresh and the refresh
> token would be invalid which would force a relog.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:14 a.m.
Yes, it should log out from all applications and clients, but not all devices.
To confirm, resources to invalidate includes:
* Refresh tokens
* Identity cookie
* Remember-me cookie
What about when a user logs in we create a unique "login-code" for that device
that is stored in the identity cookie. All refresh tokens and remember-me cookies are then
associated with this code as well. A UserModel would have a list of valid
"login-codes", and on a standard logout the "login-code" from the
current identity cookie would be removed from the UserModel. This would invalidate all
refresh tokens and cookies created for that particular device/browser.
In account management we'd have an additional option to log out everything. Doing this
would set the notBefore on the UserModel to "now", as well as remove all
"login-codes". This would invalidate all current refresh tokens and cookies for
all devices/browsers.
With regards to OAuth Grants, as we don't currently remember what grants a user has
given to a client I don't think we need to add anything in account management for it.
Once we remember grants then we should also allow users to view and revoke grants.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 1 May, 2014 2:58:43 PM
Subject: Re: [keycloak-dev] Account management requirements for beta1
How do you propose single logout works then? You want single log out to
be a single click, not a questionaire on which apps to log out of.
On 5/1/2014 9:12 AM, Stian Thorgersen wrote:
> That's pretty rubbish though. Say I've got a desktop, a laptop and a
> mobile, and they're all logged-in with a remember-me cookie. Then I use a
> friends or a library computer, and after I've clicked logout there I'm
> logged out everywhere. That's really annoying, especially for mobiles.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 1 May, 2014 2:05:28 PM
>> Subject: Re: [keycloak-dev] Account management requirements for beta1
>>
>>
>>
>> On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
>>> As long as we have a way for users to invalidate everything in accnt
>>> mngmt
>>> I agree that's sufficient.
>>>
>>> Setting UserModel.notBefore on user logout, would that not invalidation
>>> the
>>> session on other devices/browsers as well?
>>>
>>
>> Yes, for those apps that don't have an HTTP session that can be
>> invalidated, they will eventually have to do a refresh and the refresh
>> token would be invalid which would force a relog.
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:30 a.m.
On 5/1/2014 10:14 AM, Stian Thorgersen wrote:
Yes, it should log out from all applications and clients, but not all
devices.
So logout is really a "device" logout. "Device" being a mobile or
desktop. Logging in creates a "login session" for the device you logged
in with. A logout from that device logs the user of all applications
that device has interacted with.
To confirm, resources to invalidate includes:
* Refresh tokens
* Identity cookie
* Remember-me cookie
Also:
* application http sessions. Which means that we'll have to remember
which application's HTTP sessions correspond to the "login session" of
the device used to access the application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
1:17 p.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 1 May, 2014 4:30:08 PM
Subject: Re: [keycloak-dev] Account management requirements for beta1
On 5/1/2014 10:14 AM, Stian Thorgersen wrote:
> Yes, it should log out from all applications and clients, but not all
> devices.
>
So logout is really a "device" logout. "Device" being a mobile or
desktop. Logging in creates a "login session" for the device you logged
in with. A logout from that device logs the user of all applications
that device has interacted with.
Yep, if a user wants to logout from all devices they have to do so explicitly through the
account management console. We could also support this as a query param to the logout url
(/tokens/logout?logout_all)?
> To confirm, resources to invalidate includes:
>
> * Refresh tokens
> * Identity cookie
> * Remember-me cookie
Also:
* application http sessions. Which means that we'll have to remember
which application's HTTP sessions correspond to the "login session" of
the device used to access the application.
I assume this is the http sessions for the adapters, and not Keycloak itself? We could do
this by adding the 'login session' id to the token?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
1:33 p.m.
On 5/1/2014 2:17 PM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 1 May, 2014 4:30:08 PM
> Subject: Re: [keycloak-dev] Account management requirements for beta1
>
>
>
> On 5/1/2014 10:14 AM, Stian Thorgersen wrote:
>> Yes, it should log out from all applications and clients, but not all
>> devices.
>>
>
> So logout is really a "device" logout. "Device" being a mobile
or
> desktop. Logging in creates a "login session" for the device you logged
> in with. A logout from that device logs the user of all applications
> that device has interacted with.
Yep, if a user wants to logout from all devices they have to do so explicitly through the
account management console. We could also support this as a query param to the logout url
(/tokens/logout?logout_all)?
Cookie should have the login-session information already.
>
>
>> To confirm, resources to invalidate includes:
>>
>> * Refresh tokens
>> * Identity cookie
>> * Remember-me cookie
>
> Also:
>
> * application http sessions. Which means that we'll have to remember
> which application's HTTP sessions correspond to the "login session" of
> the device used to access the application.
I assume this is the http sessions for the adapters, and not Keycloak itself? We could do
this by adding the 'login session' id to the token?
Invalidating an http session requires a callback from the auth server to
the adapter's server.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:42 a.m.
There is also the thing, that currently user registered through social
can't change his password - https://issues.jboss.org/browse/KEYCLOAK-334
. Not sure if this is priority for beta1, but it should be at least in
1.0-Final IMO.
We discussed the possibility to remove the options
"updateProfileOnInitialSocialLogin", "verifyEmail" and instead use
list
of requiredActions after normal registration and social registration.
Currently it's assigned to me and planned for Beta1, but I don't think
that I can do it though as I am on PTO from Thursday and then whole next
week...
Marek
On 30.4.2014 18:17, Stian Thorgersen wrote:
With regards to account management what additional requirements do we
have for beta1?
Features I can think off to add now or in the future includes:
* Manage refresh tokens - view applications and clients that have refresh tokens, and the
ability to invalidate specific tokens
* Manage devices - view browsers and devices that have access (remember me cookie?), and
the ability to invalidate specific cookies
* Manage devices that can bypass totp - it seems to be quite common that it's
possible to not require asking for totp again for a specific device, I assume this is done
by setting a cookie, if we enable this it should be possible to view what devices have
this option, as well as invalidate them
* Manage applications - view all applications, be able to navigate to an application, and
the ability to invalidate access to specific application
* Manage clients - view all clients and what grants they have, and the ability to revoke
access to specific client
I think listing client grants, invalidate specific client grants, and a logout everything
option would be sufficient. The logout everything option would invalidate any refresh
tokens, remember me cookies, 'skip' totp cookies and do a sso-logout.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:43 a.m.
I've set those issues as low priority for beta1 - I can do them if I get the chance,
otherwise we'll have to push them
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 5 May, 2014 8:42:23 AM
Subject: Re: [keycloak-dev] Account management requirements for beta1
There is also the thing, that currently user registered through social
can't change his password - https://issues.jboss.org/browse/KEYCLOAK-334
. Not sure if this is priority for beta1, but it should be at least in
1.0-Final IMO.
We discussed the possibility to remove the options
"updateProfileOnInitialSocialLogin", "verifyEmail" and instead use
list
of requiredActions after normal registration and social registration.
Currently it's assigned to me and planned for Beta1, but I don't think
that I can do it though as I am on PTO from Thursday and then whole next
week...
Marek
On 30.4.2014 18:17, Stian Thorgersen wrote:
> With regards to account management what additional requirements do we have
> for beta1?
>
> Features I can think off to add now or in the future includes:
>
> * Manage refresh tokens - view applications and clients that have refresh
> tokens, and the ability to invalidate specific tokens
> * Manage devices - view browsers and devices that have access (remember me
> cookie?), and the ability to invalidate specific cookies
> * Manage devices that can bypass totp - it seems to be quite common that
> it's possible to not require asking for totp again for a specific device,
> I assume this is done by setting a cookie, if we enable this it should be
> possible to view what devices have this option, as well as invalidate them
> * Manage applications - view all applications, be able to navigate to an
> application, and the ability to invalidate access to specific application
> * Manage clients - view all clients and what grants they have, and the
> ability to revoke access to specific client
>
> I think listing client grants, invalidate specific client grants, and a
> logout everything option would be sufficient. The logout everything option
> would invalidate any refresh tokens, remember me cookies, 'skip' totp
> cookies and do a sso-logout.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3839
days inactive
3845
days old
11 comments
3 participants
participants (3)
-
Bill Burke -
Marek Posolda -
Stian Thorgersen