[keycloak-dev] Account management requirements for beta1
Bill Burke
bburke at redhat.com
Wed Apr 30 14:24:01 EDT 2014
We have most of this via a not-before policy you can set at the realm
level, application, client, or user level. No ability yet to view
tokens that have been given out though and which may still be valid.
Only an admin can set the not-before policy right now.
Tasks:
* Make sure all not before policies are checked before login or refresh
* Set UserModel.notBefore when a user does a logout.
* Allow user to invalidate all grants (sets a UserModel.notBefore(now)
policy)
Not a priority:
* Allow a user to view and invalidate specific oauth grants. We can
just make it all or nothing. I just think there's higher priority
things to do.
On 4/30/2014 12:17 PM, Stian Thorgersen wrote:
> With regards to account management what additional requirements do we have for beta1?
>
> Features I can think off to add now or in the future includes:
>
> * Manage refresh tokens - view applications and clients that have refresh tokens, and the ability to invalidate specific tokens
> * Manage devices - view browsers and devices that have access (remember me cookie?), and the ability to invalidate specific cookies
> * Manage devices that can bypass totp - it seems to be quite common that it's possible to not require asking for totp again for a specific device, I assume this is done by setting a cookie, if we enable this it should be possible to view what devices have this option, as well as invalidate them
> * Manage applications - view all applications, be able to navigate to an application, and the ability to invalidate access to specific application
> * Manage clients - view all clients and what grants they have, and the ability to revoke access to specific client
>
> I think listing client grants, invalidate specific client grants, and a logout everything option would be sufficient. The logout everything option would invalidate any refresh tokens, remember me cookies, 'skip' totp cookies and do a sso-logout.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list