[keycloak-dev] Session SPI for adapters

Stian Thorgersen stian at redhat.com
Thu Oct 2 09:12:29 EDT 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 2 October, 2014 3:01:53 PM
> Subject: Re: [keycloak-dev] Session SPI for adapters
> 
> 
> 
> On 10/2/2014 4:47 AM, Stian Thorgersen wrote:
> > Currently adapters use the HTTP session to manage sessions. This works fine
> > for most, but I believe there's situations when something different is
> > needed. For example for stateless applications. It also doesn't work for
> > bearer-only applications, or oauth clients.
> >
> 
> What doesn't work for bearer only applications? It works fine.  Bearer
> is completely stateless already and doesn't rely on the HTTP Session for
> anything.

Bearer-only doesn't have any way to check if a session is still valid.

> 
> > I propose we add a Session SPI to adapters, which allows plugging in a
> > mechanism to manage user sessions. The interface would be something along
> > the lines of:
> >
> > * void addSession(String userId, String sessionId)
> > * boolean isSessionValid(String sessionId)
> > * boolean removeSession(String userId, String sessionId)
> >
> 
> We already have something.  JBossWeb session mgmt API != Undertow
> session mgmt so there is already an abstraction.
> 
> > We could provide a few built in providers:
> >
> > * HTTP Session - store in http session as we currently do
> > * Infinispan - store in an Infinispan cache
> > * JPA - store in a database
> > * Keycloak Session Endpoint - we could add a session info endpoint to
> > Keycloak
> > * None - no session management (relies on expiration of access token to
> > logout users)
> >
> 
> I'm not convinced at all we need this.  We shouldn't be reimplementing
> Http session replication as it was already done years and years ago...

The whole idea is not to require a http session for applications that don't want that. There was already a guy requesting this on the mailing list.

> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list