[keycloak-dev] application session state update
Bastian Ike
bastian.ike at aoe.com
Tue Mar 31 10:19:31 EDT 2015
Am 31.03.15 16:12 schrieb "Bill Burke" unter <bburke at redhat.com>:
>
>
>On 3/31/2015 4:28 AM, Marek Posolda wrote:
>> On 31.3.2015 10:16, Sebastian Rose wrote:
>>>> That's actually related to the application session (kind of
>>>>HttpSession
>>>> ID in web application secured by keycloak). We can add support for
>>>> changing application_session_state in refreshToken endpoint instead of
>>>> introducing separate endpoint. Will it be sufficient for your usecase?
>>>> Marek
>>> As Bastian already said...
>>> Thanks for your response. Yes, i think this would work for us.
>>>
>>> I will create a JIRA for that and contribute a change via pull request
>>>(if this is fine for you)?
>> yep, thanks. There is some refactoring in latest master, you would need
>> to look at TokenEndpoint.buildRefreshToken now (TokenEndpoint is new
>> class, which didn't exist in 1.1.0.Final)
>>
>
>I'm not understanding what you want here. You are worried about an
>attacker getting the HTTP session id of the application? You want the
>HttpSession id to change 1) after login, 2) after refresh token? How
>does this have anything to do with the auth server? Wouldn't this be an
>adapter feature?
Yes, and 1) is already in place.
I want to send the new session id to keycloak so when keycloak pushes the
logout notification (using the application admin rest interface) I get the
correct session id I need to logout in my application.
The session id is saved in keycloak when we get the initial access codes
using
realms/realm/protocol/openid-connect/access/codes
We can submit the application_session_state (so keycloak can push a logout
for this session to our application), but we change it after this happend
(after we are sure the authentication was successfull). At this point the
SID in keycloak is different from the one we have newly created, so we
need a way to update the application_session_state in keycloak. Marek's
idea was to add this feature to the token-refresh endpoint so when we get
a new access token we can send the new/updated application_session_state
which will replace or add to the one in keycloak.
I hope this clarifies it a little bit.
>
>--
>Bill Burke
>JBoss, a division of Red Hat
>http://bill.burkecentral.com
>_______________________________________________
>keycloak-dev mailing list
>keycloak-dev at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list