[keycloak-dev] Account management requirements for beta1
Bill Burke
bburke at redhat.com
Thu May 1 09:05:28 EDT 2014
On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
> As long as we have a way for users to invalidate everything in accnt mngmt I agree that's sufficient.
>
> Setting UserModel.notBefore on user logout, would that not invalidation the session on other devices/browsers as well?
>
Yes, for those apps that don't have an HTTP session that can be
invalidated, they will eventually have to do a refresh and the refresh
token would be invalid which would force a relog.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list