[keycloak-dev] Session SPI for adapters

Stian Thorgersen stian at redhat.com
Mon Oct 6 07:16:49 EDT 2014 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Sunday, 5 October, 2014 11:04:10 PM
> Subject: Re: [keycloak-dev] Session SPI for adapters
> 
> On 3.10.2014 17:27, Bill Burke wrote:
> >
> > On 10/3/2014 6:30 AM, Marek Posolda wrote:
> >> On 3.10.2014 08:38, Stian Thorgersen wrote:
> >>> Let's take a step-back here and consider the problem instead of a
> >>> potential solution.
> >>>
> >>> Currently we require all applications to have an HTTP session to keep
> >>> track of the users session as well as storing the tokens. When an
> >>> application is clustered this requires replicating the HTTP session to
> >>> all nodes, or using sticky load balancer sessions.
> >>>
> >>> I think it's quite likely that some don't want to have a HTTP session and
> >>> instead store the token in a cookie to make the application fully
> >>> stateless. That's simple enough to add right? And storing the token in a
> >>> http-only cookie should be safe as well. However, one issue remains how
> >>> do we deal with single-sign out in this case. As there's no state kept
> >>> in the application a logout admin event from Keycloak isn't going to
> >>> work. So would be just rely on the access token expiring in this case?
> >>> Or could we add something better?
> >> One possibility I can think about is, that adapters would have some
> >> option to specify if they are:
> >> - statefull (In this case HttpSession is used as is now)
> >> - stateless (In this case token stored in the cookie like
> >> KEYCLOAK_PRINCIPAL)
> >>
> > Stateless browser apps could also just be configured to override token
> > timeouts.  Either:
> >
> > a) Refresh the access token on every request
> > b) Do a shorter token timeout.
> >
> Ok, (b) is already possible. For (a) we can add option to adapters?

Instead of (a) would it not be better to add an endpoint to Keycloak that allows verifying a token? Then add an option to an adapter to do optionally do this every request? If I remember correctly this endpoint may already exist.

> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list