[keycloak-dev] Account management requirements for beta1

Bill Burke bburke at redhat.com
Thu May 1 09:58:43 EDT 2014


How do you propose single logout works then?  You want single log out to 
be a single click, not a questionaire on which apps to log out of.

On 5/1/2014 9:12 AM, Stian Thorgersen wrote:
> That's pretty rubbish though. Say I've got a desktop, a laptop and a mobile, and they're all logged-in with a remember-me cookie. Then I use a friends or a library computer, and after I've clicked logout there I'm logged out everywhere. That's really annoying, especially for mobiles.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 1 May, 2014 2:05:28 PM
>> Subject: Re: [keycloak-dev] Account management requirements for beta1
>>
>>
>>
>> On 5/1/2014 5:28 AM, Stian Thorgersen wrote:
>>> As long as we have a way for users to invalidate everything in accnt mngmt
>>> I agree that's sufficient.
>>>
>>> Setting UserModel.notBefore on user logout, would that not invalidation the
>>> session on other devices/browsers as well?
>>>
>>
>> Yes, for those apps that don't have an HTTP session that can be
>> invalidated, they will eventually have to do a refresh and the refresh
>> token would be invalid which would force a relog.
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list