[keycloak-dev] Account management requirements for beta1
Bill Burke
bburke at redhat.com
Thu May 1 11:30:08 EDT 2014
On 5/1/2014 10:14 AM, Stian Thorgersen wrote:
> Yes, it should log out from all applications and clients, but not all devices.
>
So logout is really a "device" logout. "Device" being a mobile or
desktop. Logging in creates a "login session" for the device you logged
in with. A logout from that device logs the user of all applications
that device has interacted with.
> To confirm, resources to invalidate includes:
>
> * Refresh tokens
> * Identity cookie
> * Remember-me cookie
Also:
* application http sessions. Which means that we'll have to remember
which application's HTTP sessions correspond to the "login session" of
the device used to access the application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list