[keycloak-dev] Account management requirements for beta1
Stian Thorgersen
stian at redhat.com
Thu May 1 14:17:45 EDT 2014
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 1 May, 2014 4:30:08 PM
> Subject: Re: [keycloak-dev] Account management requirements for beta1
>
>
>
> On 5/1/2014 10:14 AM, Stian Thorgersen wrote:
> > Yes, it should log out from all applications and clients, but not all
> > devices.
> >
>
> So logout is really a "device" logout. "Device" being a mobile or
> desktop. Logging in creates a "login session" for the device you logged
> in with. A logout from that device logs the user of all applications
> that device has interacted with.
Yep, if a user wants to logout from all devices they have to do so explicitly through the account management console. We could also support this as a query param to the logout url (/tokens/logout?logout_all)?
>
>
> > To confirm, resources to invalidate includes:
> >
> > * Refresh tokens
> > * Identity cookie
> > * Remember-me cookie
>
> Also:
>
> * application http sessions. Which means that we'll have to remember
> which application's HTTP sessions correspond to the "login session" of
> the device used to access the application.
I assume this is the http sessions for the adapters, and not Keycloak itself? We could do this by adding the 'login session' id to the token?
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list