[keycloak-dev] oauth clients and session problems

Stian Thorgersen stian at redhat.com
Fri May 16 11:30:31 EDT 2014


In that case I'm not convinced. I'd expect all 'clients' to be logged out when I logout of the SSO realm. Unless I've explicitly granted the client offline access (something we don't really support atm).

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 16 May, 2014 4:09:00 PM
> Subject: Re: [keycloak-dev] oauth clients and session problems
> 
> No, I'm talking about browser-based oauth grant.  Where the client
> initiating the token request is an oauth client and the user has to
> login and go to the oauth grant page.
> 
> On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
> > Are you talking about 'tokens/grants/access'?
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Friday, 16 May, 2014 2:48:06 PM
> >> Subject: [keycloak-dev] oauth clients and session problems
> >>
> >> I think oauth grants are a different animal than application logins.
> >> Applications are part of an SSO session, while oauth grants will
> >> probably not want to be part of an SSO session.  Why? If an Oauth grant
> >> requires entering in user credentials, right now, Keycloak will create a
> >> identity cookie.  The user might not know in this situation that they
> >> need to logout.
> >>
> >> I was thinking that:
> >>
> >> 1. OAuth Client grant requests should always have a new session created
> >> for them.
> >> 2. OAuth client grant requests should not ever set any cookies.  Its ok
> >> to use existing cookies for authentication though.
> >> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
> >> for each oauth client and application.
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list