[keycloak-dev] Session SPI for adapters

Marek Posolda mposolda at redhat.com
Sun Oct 5 17:04:10 EDT 2014


On 3.10.2014 17:27, Bill Burke wrote:
>
> On 10/3/2014 6:30 AM, Marek Posolda wrote:
>> On 3.10.2014 08:38, Stian Thorgersen wrote:
>>> Let's take a step-back here and consider the problem instead of a potential solution.
>>>
>>> Currently we require all applications to have an HTTP session to keep track of the users session as well as storing the tokens. When an application is clustered this requires replicating the HTTP session to all nodes, or using sticky load balancer sessions.
>>>
>>> I think it's quite likely that some don't want to have a HTTP session and instead store the token in a cookie to make the application fully stateless. That's simple enough to add right? And storing the token in a http-only cookie should be safe as well. However, one issue remains how do we deal with single-sign out in this case. As there's no state kept in the application a logout admin event from Keycloak isn't going to work. So would be just rely on the access token expiring in this case? Or could we add something better?
>> One possibility I can think about is, that adapters would have some
>> option to specify if they are:
>> - statefull (In this case HttpSession is used as is now)
>> - stateless (In this case token stored in the cookie like
>> KEYCLOAK_PRINCIPAL)
>>
> Stateless browser apps could also just be configured to override token
> timeouts.  Either:
>
> a) Refresh the access token on every request
> b) Do a shorter token timeout.
>
Ok, (b) is already possible. For (a) we can add option to adapters?


More information about the keycloak-dev mailing list