[keycloak-dev] User sessions added

Bill Burke bburke at redhat.com
Fri May 9 09:52:20 EDT 2014


Duh... :)  Now its my turn to be slow...

So the iframe solution is a good one :)  I'll add it to keycloak.js


On 5/9/2014 9:38 AM, Stian Thorgersen wrote:
> Could we not have a separate session state cookie that is not HttpOnly?
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 9 May, 2014 2:36:09 PM
>> Subject: Re: [keycloak-dev] User sessions added
>>
>> That's what I was saying before.  There is no benefit in using Iframes
>> if your login cookies are HttpOnly.  Your set timeout is *already*
>> happening indirectly via refresh tokens.
>>
>> The only other benefit might be in that you'd have to enable CORS for
>> that "ping" request which might be a pain.
>>
>> On 5/9/2014 9:10 AM, Stian Thorgersen wrote:
>>> What then is the benefit of having this iframe compared to just adding
>>> something like the following to keycloak.js:
>>>
>>> setTimeout(function() {
>>>     var req = new XMLHttpRequest();
>>>     req.open('GET',
>>>     'http://localhost:8080/auth/rest/realms/realm/tokens/session-status?session_state=...',
>>>     true);
>>>     req.onreadystatechange = function () {
>>>       if (req.readyState == 4 && req.status == 200) {
>>>         var status = JSON.parse(req.responseText);
>>>         if (!status.active) {
>>>           clearToken();
>>>         }
>>>       }
>>>     }
>>>     req.send();
>>> }, 3000);
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Friday, 9 May, 2014 1:41:02 PM
>>>> Subject: Re: [keycloak-dev] User sessions added
>>>>
>>>>
>>>>
>>>> On 5/9/2014 6:59 AM, Stian Thorgersen wrote:
>>>>> User sessions have been added. In summary when a user logs in a new
>>>>> session
>>>>> is created (and persisted in the model). The identity cookie as well as
>>>>> all tokens/refresh-tokens are associated with a session. When a user logs
>>>>> out the session is invalidated (removed from the model), which
>>>>> invalidates
>>>>> the identity cookie and all tokens/refresh-tokens.
>>>>>
>>>>> There's two related issues left to do:
>>>>>
>>>>> * Make sure adapters only log out a specific session (if LoginAction
>>>>> contains a session id)
>>>>> * Allow a user to log out all sessions through the account management
>>>>> console
>>>>>
>>>>> Also, we may want some mechanism to retrieve the status of a session from
>>>>> applications. This could be a REST endpoint, or the crazy iframe
>>>>> technique
>>>>> from OpenID Connect. I think this can be postponed to after 1.0 though.
>>>>>
>>>>
>>>> The crazy IFrame techique would require this REST "ping".  At least for
>>>> us, as our cookies would be http-only.
>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list