[keycloak-dev] Session SPI for adapters

Bill Burke bburke at redhat.com
Fri Oct 3 11:27:46 EDT 2014



On 10/3/2014 6:30 AM, Marek Posolda wrote:
> On 3.10.2014 08:38, Stian Thorgersen wrote:
>> Let's take a step-back here and consider the problem instead of a potential solution.
>>
>> Currently we require all applications to have an HTTP session to keep track of the users session as well as storing the tokens. When an application is clustered this requires replicating the HTTP session to all nodes, or using sticky load balancer sessions.
>>
>> I think it's quite likely that some don't want to have a HTTP session and instead store the token in a cookie to make the application fully stateless. That's simple enough to add right? And storing the token in a http-only cookie should be safe as well. However, one issue remains how do we deal with single-sign out in this case. As there's no state kept in the application a logout admin event from Keycloak isn't going to work. So would be just rely on the access token expiring in this case? Or could we add something better?
> One possibility I can think about is, that adapters would have some
> option to specify if they are:
> - statefull (In this case HttpSession is used as is now)
> - stateless (In this case token stored in the cookie like
> KEYCLOAK_PRINCIPAL)
>

Stateless browser apps could also just be configured to override token 
timeouts.  Either:

a) Refresh the access token on every request
b) Do a shorter token timeout.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list