[keycloak-dev] Idle timeout notificaion

Stan Silvert ssilvert at redhat.com
Tue Jun 30 14:10:00 EDT 2015 

On 6/30/2015 1:42 PM, Bill Burke wrote:
>
> On 6/30/2015 11:00 AM, Stan Silvert wrote:
>> On 6/30/2015 9:22 AM, Bill Burke wrote:
>>> On 6/30/2015 8:23 AM, Stan Silvert wrote:
>>>> On 6/29/2015 8:34 PM, Bill Burke wrote:
>>>>> On 6/29/2015 5:39 PM, Stan Silvert wrote:
>>>>>> On 6/29/2015 5:26 PM, Bill Burke wrote:
>>>>>>> We do need some way to listen at the adapter level for a logout event
>>>>>>> sent by the auth server.  Undertow and Tomcat and Jetty all have ways to
>>>>>>> listen for session invalidation events I believe too.  Not sure if the
>>>>>>> servlet spec has something standard.
>>>>>> Yes, the servlet spec has HttpSessionListener with a sessionDestroyed()
>>>>>> callback.
>>>>>>
>>>>>> We could come up with some javascript that you put on the client side
>>>>>> that registers with the adapter and gets notified of session
>>>>>> invalidation.  I'm just wondering if it's something we should provide or
>>>>>> not.
>>>>> Javascript adapter already checks for logout.
>>>>>
>>>> What would you suggest for apps that use the other adapters?
>>> They should use regular servlet means to timeout the session.
>>>
>> That's not what I'm asking about.  I'm asking if we should provide a
>> standard callback to the client when the timeout occurs.
>>
>> The client wants to provide a notification to the user about the session
>> timeout.  Right now, it is up to each application to build their own
>> infrastructure for doing that.
> For a servlet app, this "infrastructure" already exists.  As you said
> before, you can set up an HttpSessionListener.  For a javascript app,
> our javascript adapter already handles this.
And how does the user get notified?
>
>>   But we could provide an out of the box
>> solution that works for the entire realm.  What we would need is a
>> standard way for the client to register a callback with our adapters.
>> Or it could register the callback with the Keycloak server.  (Or a
>> heartbeat instead of a callback.  There are many ways to do this.)
>>
>> The main point is that Keycloak could provide a realm-wide solution.
>> That's what the customer is wanting.
> Our background session expiration task currently just wipes away the
> sessions in Keycloak server.  If it was changed to performing a
> backchannel logout, then the adapters would always get notified and
> again, the app developer can just implement an HttpSessionListener.
>
>
>

More information about the keycloak-dev mailing list