[keycloak-dev] Account management requirements for beta1
Bill Burke
bburke at redhat.com
Thu May 1 14:33:29 EDT 2014
On 5/1/2014 2:17 PM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 1 May, 2014 4:30:08 PM
>> Subject: Re: [keycloak-dev] Account management requirements for beta1
>>
>>
>>
>> On 5/1/2014 10:14 AM, Stian Thorgersen wrote:
>>> Yes, it should log out from all applications and clients, but not all
>>> devices.
>>>
>>
>> So logout is really a "device" logout. "Device" being a mobile or
>> desktop. Logging in creates a "login session" for the device you logged
>> in with. A logout from that device logs the user of all applications
>> that device has interacted with.
>
> Yep, if a user wants to logout from all devices they have to do so explicitly through the account management console. We could also support this as a query param to the logout url (/tokens/logout?logout_all)?
>
Cookie should have the login-session information already.
>>
>>
>>> To confirm, resources to invalidate includes:
>>>
>>> * Refresh tokens
>>> * Identity cookie
>>> * Remember-me cookie
>>
>> Also:
>>
>> * application http sessions. Which means that we'll have to remember
>> which application's HTTP sessions correspond to the "login session" of
>> the device used to access the application.
>
> I assume this is the http sessions for the adapters, and not Keycloak itself? We could do this by adding the 'login session' id to the token?
>
Invalidating an http session requires a callback from the auth server to
the adapter's server.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list