[keycloak-dev] Account management requirements for beta1
Stian Thorgersen
stian at redhat.com
Thu May 1 09:12:29 EDT 2014
That's pretty rubbish though. Say I've got a desktop, a laptop and a mobile, and they're all logged-in with a remember-me cookie. Then I use a friends or a library computer, and after I've clicked logout there I'm logged out everywhere. That's really annoying, especially for mobiles.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 1 May, 2014 2:05:28 PM
> Subject: Re: [keycloak-dev] Account management requirements for beta1
>
>
>
> On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
> > As long as we have a way for users to invalidate everything in accnt mngmt
> > I agree that's sufficient.
> >
> > Setting UserModel.notBefore on user logout, would that not invalidation the
> > session on other devices/browsers as well?
> >
>
> Yes, for those apps that don't have an HTTP session that can be
> invalidated, they will eventually have to do a refresh and the refresh
> token would be invalid which would force a relog.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list