[keycloak-dev] session_state changed to ClientSession id?

Marek Posolda mposolda at redhat.com
Fri Feb 20 09:13:32 EST 2015 

On 20.2.2015 13:48, Bill Burke wrote:
>
> On 2/20/2015 3:22 AM, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Thursday, February 19, 2015 8:54:48 PM
>>> Subject: Re: [keycloak-dev] session_state changed to ClientSession id?
>>>
>>>
>>>
>>> On 2/19/2015 1:10 AM, Stian Thorgersen wrote:
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>> To: keycloak-dev at lists.jboss.org
>>>>> Sent: Thursday, February 19, 2015 4:25:48 AM
>>>>> Subject: [keycloak-dev] session_state changed to ClientSession id?
>>>>>
>>>>> Can I change the session_state in the access token (and refresh token)
>>>>> to point to ClientSession id instead?  Right now it points to the user
>>>>> session id.
>>>> What's the benefits of doing that?
>>>>
>>>> It might have some impact on the Infinispan provider. For best performance
>>>> user sessions should be retrieved by id, which we won't be able to do if
>>>> we don't have it.
>>>>
>>> Access and refresh tokens should be associated with a client session so
>>> that we can track back an audit.  For claim mapping, I'm also allowing
>>> admins to map client session notes into the token.  There might be
>>> temporary protocol specific information stored there.
>>>
>>> I can just add a new client_session claim if needed.
>> If everything changes to lookup by client session id it should work fine. It would require a bit of tinkering though.
>>
>> On a related note would it make sense to create a single client session per client per user session? For example as the admin console doesn't store tokens (and any client using keycloak.js is the same) a new client session is created if a user refreshes the page.
>>
> Refreshing the page nor refresh token causes a new client session to be
> submitted.  If a completely different browser is used to visit the app,
> then yes, there is a different client session.  In that case, you still
> want a new client session to be created because it would be a totally
> different HttpSession for the client.
>
>
Yes, but with different browser it's also completely different 
UserSession. It makes sense to me to have single ClientSession per: 
Client + UserSession.

But not per: Client + User

So if same user visits admin console from 2 different browsers, it 
should be 2 client sessions. If he just refresh admin console from the 
same browser, it's same UserSession and hence 1 client session.

Marek

More information about the keycloak-dev mailing list