[keycloak-dev] User sessions added
Bill Burke
bburke at redhat.com
Fri May 9 10:03:49 EDT 2014
This actually helps alot with single log out and the admin console!
On 5/9/2014 9:57 AM, Stian Thorgersen wrote:
> Good thing we are slow about different things, otherwise we'd not manage to do anything ;)
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 9 May, 2014 2:52:20 PM
>> Subject: Re: [keycloak-dev] User sessions added
>>
>> Duh... :) Now its my turn to be slow...
>>
>> So the iframe solution is a good one :) I'll add it to keycloak.js
>>
>>
>> On 5/9/2014 9:38 AM, Stian Thorgersen wrote:
>>> Could we not have a separate session state cookie that is not HttpOnly?
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Friday, 9 May, 2014 2:36:09 PM
>>>> Subject: Re: [keycloak-dev] User sessions added
>>>>
>>>> That's what I was saying before. There is no benefit in using Iframes
>>>> if your login cookies are HttpOnly. Your set timeout is *already*
>>>> happening indirectly via refresh tokens.
>>>>
>>>> The only other benefit might be in that you'd have to enable CORS for
>>>> that "ping" request which might be a pain.
>>>>
>>>> On 5/9/2014 9:10 AM, Stian Thorgersen wrote:
>>>>> What then is the benefit of having this iframe compared to just adding
>>>>> something like the following to keycloak.js:
>>>>>
>>>>> setTimeout(function() {
>>>>> var req = new XMLHttpRequest();
>>>>> req.open('GET',
>>>>> 'http://localhost:8080/auth/rest/realms/realm/tokens/session-status?session_state=...',
>>>>> true);
>>>>> req.onreadystatechange = function () {
>>>>> if (req.readyState == 4 && req.status == 200) {
>>>>> var status = JSON.parse(req.responseText);
>>>>> if (!status.active) {
>>>>> clearToken();
>>>>> }
>>>>> }
>>>>> }
>>>>> req.send();
>>>>> }, 3000);
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>> Sent: Friday, 9 May, 2014 1:41:02 PM
>>>>>> Subject: Re: [keycloak-dev] User sessions added
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/9/2014 6:59 AM, Stian Thorgersen wrote:
>>>>>>> User sessions have been added. In summary when a user logs in a new
>>>>>>> session
>>>>>>> is created (and persisted in the model). The identity cookie as well as
>>>>>>> all tokens/refresh-tokens are associated with a session. When a user
>>>>>>> logs
>>>>>>> out the session is invalidated (removed from the model), which
>>>>>>> invalidates
>>>>>>> the identity cookie and all tokens/refresh-tokens.
>>>>>>>
>>>>>>> There's two related issues left to do:
>>>>>>>
>>>>>>> * Make sure adapters only log out a specific session (if LoginAction
>>>>>>> contains a session id)
>>>>>>> * Allow a user to log out all sessions through the account management
>>>>>>> console
>>>>>>>
>>>>>>> Also, we may want some mechanism to retrieve the status of a session
>>>>>>> from
>>>>>>> applications. This could be a REST endpoint, or the crazy iframe
>>>>>>> technique
>>>>>>> from OpenID Connect. I think this can be postponed to after 1.0 though.
>>>>>>>
>>>>>>
>>>>>> The crazy IFrame techique would require this REST "ping". At least for
>>>>>> us, as our cookies would be http-only.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list