[keycloak-dev] Account management requirements for beta1

Bill Burke bburke at redhat.com
Thu May 1 09:05:28 EDT 2014



On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
> As long as we have a way for users to invalidate everything in accnt mngmt I agree that's sufficient.
>
> Setting UserModel.notBefore on user logout, would that not invalidation the session on other devices/browsers as well?
>

Yes, for those apps that don't have an HTTP session that can be 
invalidated, they will eventually have to do a refresh and the refresh 
token would be invalid which would force a relog.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list