8:48 a.m.
I think oauth grants are a different animal than application logins.
Applications are part of an SSO session, while oauth grants will
probably not want to be part of an SSO session. Why? If an Oauth grant
requires entering in user credentials, right now, Keycloak will create a
identity cookie. The user might not know in this situation that they
need to logout.
I was thinking that:
1. OAuth Client grant requests should always have a new session created
for them.
2. OAuth client grant requests should not ever set any cookies. Its ok
to use existing cookies for authentication though.
3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
for each oauth client and application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:55 a.m.
Are you talking about 'tokens/grants/access'?
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 16 May, 2014 2:48:06 PM
Subject: [keycloak-dev] oauth clients and session problems
I think oauth grants are a different animal than application logins.
Applications are part of an SSO session, while oauth grants will
probably not want to be part of an SSO session. Why? If an Oauth grant
requires entering in user credentials, right now, Keycloak will create a
identity cookie. The user might not know in this situation that they
need to logout.
I was thinking that:
1. OAuth Client grant requests should always have a new session created
for them.
2. OAuth client grant requests should not ever set any cookies. Its ok
to use existing cookies for authentication though.
3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
for each oauth client and application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:09 a.m.
No, I'm talking about browser-based oauth grant. Where the client
initiating the token request is an oauth client and the user has to
login and go to the oauth grant page.
On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
Are you talking about 'tokens/grants/access'?
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 16 May, 2014 2:48:06 PM
> Subject: [keycloak-dev] oauth clients and session problems
>
> I think oauth grants are a different animal than application logins.
> Applications are part of an SSO session, while oauth grants will
> probably not want to be part of an SSO session. Why? If an Oauth grant
> requires entering in user credentials, right now, Keycloak will create a
> identity cookie. The user might not know in this situation that they
> need to logout.
>
> I was thinking that:
>
> 1. OAuth Client grant requests should always have a new session created
> for them.
> 2. OAuth client grant requests should not ever set any cookies. Its ok
> to use existing cookies for authentication though.
> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
> for each oauth client and application.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:30 a.m.
In that case I'm not convinced. I'd expect all 'clients' to be logged out
when I logout of the SSO realm. Unless I've explicitly granted the client offline
access (something we don't really support atm).
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 16 May, 2014 4:09:00 PM
Subject: Re: [keycloak-dev] oauth clients and session problems
No, I'm talking about browser-based oauth grant. Where the client
initiating the token request is an oauth client and the user has to
login and go to the oauth grant page.
On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
> Are you talking about 'tokens/grants/access'?
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 16 May, 2014 2:48:06 PM
>> Subject: [keycloak-dev] oauth clients and session problems
>>
>> I think oauth grants are a different animal than application logins.
>> Applications are part of an SSO session, while oauth grants will
>> probably not want to be part of an SSO session. Why? If an Oauth grant
>> requires entering in user credentials, right now, Keycloak will create a
>> identity cookie. The user might not know in this situation that they
>> need to logout.
>>
>> I was thinking that:
>>
>> 1. OAuth Client grant requests should always have a new session created
>> for them.
>> 2. OAuth client grant requests should not ever set any cookies. Its ok
>> to use existing cookies for authentication though.
>> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
>> for each oauth client and application.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:38 a.m.
OAuth clients shouldn't create an identity cookie at least. Again,
because the user might not know they are logged in. Meaning, if the
user isn't already logged in, then the oauth grant page will not
set/refresh the KEYCLOAK_IDENTITY cookie.
I'm most worried about doing a oauth client grant and the user not
knowing they are logged in. They step away from the browser, and still
have their SSO session active.
On 5/16/2014 11:30 AM, Stian Thorgersen wrote:
In that case I'm not convinced. I'd expect all
'clients' to be logged out when I logout of the SSO realm. Unless I've
explicitly granted the client offline access (something we don't really support atm).
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 16 May, 2014 4:09:00 PM
> Subject: Re: [keycloak-dev] oauth clients and session problems
>
> No, I'm talking about browser-based oauth grant. Where the client
> initiating the token request is an oauth client and the user has to
> login and go to the oauth grant page.
>
> On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
>> Are you talking about 'tokens/grants/access'?
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: keycloak-dev(a)lists.jboss.org
>>> Sent: Friday, 16 May, 2014 2:48:06 PM
>>> Subject: [keycloak-dev] oauth clients and session problems
>>>
>>> I think oauth grants are a different animal than application logins.
>>> Applications are part of an SSO session, while oauth grants will
>>> probably not want to be part of an SSO session. Why? If an Oauth grant
>>> requires entering in user credentials, right now, Keycloak will create a
>>> identity cookie. The user might not know in this situation that they
>>> need to logout.
>>>
>>> I was thinking that:
>>>
>>> 1. OAuth Client grant requests should always have a new session created
>>> for them.
>>> 2. OAuth client grant requests should not ever set any cookies. Its ok
>>> to use existing cookies for authentication though.
>>> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
>>> for each oauth client and application.
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:47 a.m.
Surely the user has to login first though, before the oauth grant page is displayed?
Google, Facebook, Twitter, etc. all requires that you are logged in with them prior to
displaying a grant page.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 16 May, 2014 4:38:59 PM
Subject: Re: [keycloak-dev] oauth clients and session problems
OAuth clients shouldn't create an identity cookie at least. Again,
because the user might not know they are logged in. Meaning, if the
user isn't already logged in, then the oauth grant page will not
set/refresh the KEYCLOAK_IDENTITY cookie.
I'm most worried about doing a oauth client grant and the user not
knowing they are logged in. They step away from the browser, and still
have their SSO session active.
On 5/16/2014 11:30 AM, Stian Thorgersen wrote:
> In that case I'm not convinced. I'd expect all 'clients' to be
logged out
> when I logout of the SSO realm. Unless I've explicitly granted the client
> offline access (something we don't really support atm).
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 16 May, 2014 4:09:00 PM
>> Subject: Re: [keycloak-dev] oauth clients and session problems
>>
>> No, I'm talking about browser-based oauth grant. Where the client
>> initiating the token request is an oauth client and the user has to
>> login and go to the oauth grant page.
>>
>> On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
>>> Are you talking about 'tokens/grants/access'?
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: keycloak-dev(a)lists.jboss.org
>>>> Sent: Friday, 16 May, 2014 2:48:06 PM
>>>> Subject: [keycloak-dev] oauth clients and session problems
>>>>
>>>> I think oauth grants are a different animal than application logins.
>>>> Applications are part of an SSO session, while oauth grants will
>>>> probably not want to be part of an SSO session. Why? If an Oauth grant
>>>> requires entering in user credentials, right now, Keycloak will create
a
>>>> identity cookie. The user might not know in this situation that they
>>>> need to logout.
>>>>
>>>> I was thinking that:
>>>>
>>>> 1. OAuth Client grant requests should always have a new session created
>>>> for them.
>>>> 2. OAuth client grant requests should not ever set any cookies. Its ok
>>>> to use existing cookies for authentication though.
>>>> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be
overridable
>>>> for each oauth client and application.
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:35 a.m.
Can we have a hangout to this discuss this?
Another thing I thought about was that I think the session cookie should be persisted
permanently even without remember-me enabled. That way instead of creating a new session
after restarting the user can re-attach to the same session by a new login. The benefit
here is that we are more likely to invalidate any refresh tokens created for that
particular device/browser.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 16 May, 2014 4:47:52 PM
Subject: Re: [keycloak-dev] oauth clients and session problems
Surely the user has to login first though, before the oauth grant page is
displayed?
Google, Facebook, Twitter, etc. all requires that you are logged in with them
prior to displaying a grant page.
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 16 May, 2014 4:38:59 PM
> Subject: Re: [keycloak-dev] oauth clients and session problems
>
> OAuth clients shouldn't create an identity cookie at least. Again,
> because the user might not know they are logged in. Meaning, if the
> user isn't already logged in, then the oauth grant page will not
> set/refresh the KEYCLOAK_IDENTITY cookie.
>
> I'm most worried about doing a oauth client grant and the user not
> knowing they are logged in. They step away from the browser, and still
> have their SSO session active.
>
> On 5/16/2014 11:30 AM, Stian Thorgersen wrote:
> > In that case I'm not convinced. I'd expect all 'clients' to be
logged out
> > when I logout of the SSO realm. Unless I've explicitly granted the client
> > offline access (something we don't really support atm).
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke(a)redhat.com>
> >> To: "Stian Thorgersen" <stian(a)redhat.com>
> >> Cc: keycloak-dev(a)lists.jboss.org
> >> Sent: Friday, 16 May, 2014 4:09:00 PM
> >> Subject: Re: [keycloak-dev] oauth clients and session problems
> >>
> >> No, I'm talking about browser-based oauth grant. Where the client
> >> initiating the token request is an oauth client and the user has to
> >> login and go to the oauth grant page.
> >>
> >> On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
> >>> Are you talking about 'tokens/grants/access'?
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke(a)redhat.com>
> >>>> To: keycloak-dev(a)lists.jboss.org
> >>>> Sent: Friday, 16 May, 2014 2:48:06 PM
> >>>> Subject: [keycloak-dev] oauth clients and session problems
> >>>>
> >>>> I think oauth grants are a different animal than application
logins.
> >>>> Applications are part of an SSO session, while oauth grants will
> >>>> probably not want to be part of an SSO session. Why? If an Oauth
> >>>> grant
> >>>> requires entering in user credentials, right now, Keycloak will
create
> >>>> a
> >>>> identity cookie. The user might not know in this situation that
they
> >>>> need to logout.
> >>>>
> >>>> I was thinking that:
> >>>>
> >>>> 1. OAuth Client grant requests should always have a new session
> >>>> created
> >>>> for them.
> >>>> 2. OAuth client grant requests should not ever set any cookies.
Its
> >>>> ok
> >>>> to use existing cookies for authentication though.
> >>>> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be
> >>>> overridable
> >>>> for each oauth client and application.
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev(a)lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3878
days inactive
3881
days old
6 comments
2 participants
participants (2)
-
Bill Burke -
Stian Thorgersen