[keycloak-dev] oauth clients and session problems
Stian Thorgersen
stian at redhat.com
Fri May 16 11:47:52 EDT 2014
Surely the user has to login first though, before the oauth grant page is displayed?
Google, Facebook, Twitter, etc. all requires that you are logged in with them prior to displaying a grant page.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 16 May, 2014 4:38:59 PM
> Subject: Re: [keycloak-dev] oauth clients and session problems
>
> OAuth clients shouldn't create an identity cookie at least. Again,
> because the user might not know they are logged in. Meaning, if the
> user isn't already logged in, then the oauth grant page will not
> set/refresh the KEYCLOAK_IDENTITY cookie.
>
> I'm most worried about doing a oauth client grant and the user not
> knowing they are logged in. They step away from the browser, and still
> have their SSO session active.
>
> On 5/16/2014 11:30 AM, Stian Thorgersen wrote:
> > In that case I'm not convinced. I'd expect all 'clients' to be logged out
> > when I logout of the SSO realm. Unless I've explicitly granted the client
> > offline access (something we don't really support atm).
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Friday, 16 May, 2014 4:09:00 PM
> >> Subject: Re: [keycloak-dev] oauth clients and session problems
> >>
> >> No, I'm talking about browser-based oauth grant. Where the client
> >> initiating the token request is an oauth client and the user has to
> >> login and go to the oauth grant page.
> >>
> >> On 5/16/2014 9:55 AM, Stian Thorgersen wrote:
> >>> Are you talking about 'tokens/grants/access'?
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: keycloak-dev at lists.jboss.org
> >>>> Sent: Friday, 16 May, 2014 2:48:06 PM
> >>>> Subject: [keycloak-dev] oauth clients and session problems
> >>>>
> >>>> I think oauth grants are a different animal than application logins.
> >>>> Applications are part of an SSO session, while oauth grants will
> >>>> probably not want to be part of an SSO session. Why? If an Oauth grant
> >>>> requires entering in user credentials, right now, Keycloak will create a
> >>>> identity cookie. The user might not know in this situation that they
> >>>> need to logout.
> >>>>
> >>>> I was thinking that:
> >>>>
> >>>> 1. OAuth Client grant requests should always have a new session created
> >>>> for them.
> >>>> 2. OAuth client grant requests should not ever set any cookies. Its ok
> >>>> to use existing cookies for authentication though.
> >>>> 3. ssoSessionIdleTimeout and ssoSessionMaxLifespan should be overridable
> >>>> for each oauth client and application.
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list