[keycloak-dev] oauth clients and session problems

Bill Burke bburke at redhat.com
Fri May 16 11:38:59 EDT 2014 

OAuth clients shouldn't create an identity cookie at least.  Again, 
because the user might not know they are logged in.  Meaning, if the 
user isn't already logged in, then the oauth grant page will not 
set/refresh the KEYCLOAK_IDENTITY cookie.

I'm most worried about doing a oauth client grant and the user not 
knowing they are logged in.  They step away from the browser, and still 
have their SSO session active.

On 5/16/2014 11:30 AM, Stian Thorgersen wrote:
> In that case I'm not convinced. I'd expect all 'clients' to be logged out when I logout of the SSO realm. Unless I've explicitly granted the client offline access (something we don't really support atm).
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 16 May, 2014 4:09:00 PM
>> Subject: Re: [keycloak-dev] oauth clients and session problems
>>
>> No, I'm talking about browser-based oauth grant.  Where the client
>> initiating the token request is an oauth client and the user has to
>> login and go to the oauth grant page.
>>
>> On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
>>> Are you talking about 'tokens/grants/access'?
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Friday, 16 May, 2014 2:48:06 PM
>>>> Subject: [keycloak-dev] oauth clients and session problems
>>>>
>>>> I think oauth grants are a different animal than application logins.
>>>> Applications are part of an SSO session, while oauth grants will
>>>> probably not want to be part of an SSO session.  Why? If an Oauth grant
>>>> requires entering in user credentials, right now, Keycloak will create a
>>>> identity cookie.  The user might not know in this situation that they
>>>> need to logout.
>>>>
>>>> I was thinking that:
>>>>
>>>> 1. OAuth Client grant requests should always have a new session created
>>>> for them.
>>>> 2. OAuth client grant requests should not ever set any cookies.  Its ok
>>>> to use existing cookies for authentication though.
>>>> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
>>>> for each oauth client and application.
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list