[keycloak-dev] application session state update

Bill Burke bburke at redhat.com
Tue Mar 31 10:26:11 EDT 2015



On 3/31/2015 10:19 AM, Bastian Ike wrote:
> Am 31.03.15 16:12 schrieb "Bill Burke" unter <bburke at redhat.com>:
>
>
>>
>>
>> On 3/31/2015 4:28 AM, Marek Posolda wrote:
>>> On 31.3.2015 10:16, Sebastian Rose wrote:
>>>>> That's actually related to the application session (kind of
>>>>> HttpSession
>>>>> ID in web application secured by keycloak). We can add support for
>>>>> changing application_session_state in refreshToken endpoint instead of
>>>>> introducing separate endpoint. Will it be sufficient for your usecase?
>>>>> Marek
>>>> As Bastian already said...
>>>> Thanks for your response. Yes, i think this would work for us.
>>>>
>>>> I will create a JIRA for that and contribute a change via pull request
>>>> (if this is fine for you)?
>>> yep, thanks. There is some refactoring in latest master, you would need
>>> to look at TokenEndpoint.buildRefreshToken now (TokenEndpoint is new
>>> class, which didn't exist in 1.1.0.Final)
>>>
>>
>> I'm not understanding what you want here.  You are worried about an
>> attacker getting the HTTP session id of the application?  You want the
>> HttpSession id to change 1) after login, 2) after refresh token?  How
>> does this have anything to do with the auth server? Wouldn't this be an
>> adapter feature?
> Yes, and 1) is already in place.
> I want to send the new session id to keycloak so when keycloak pushes the
> logout notification (using the application admin rest interface) I get the
> correct session id I need to logout in my application.
>
> The session id is saved in keycloak when we get the initial access codes
> using
> realms/realm/protocol/openid-connect/access/codes
> We can submit the application_session_state (so keycloak can push a logout
> for this session to our application), but we change it after this happend
> (after we are sure the authentication was successfull). At this point the
> SID in keycloak is different from the one we have newly created, so we
> need a way to update the application_session_state in keycloak. Marek's
> idea was to add this feature to the token-refresh endpoint so when we get
> a new access token we can send the new/updated application_session_state
> which will replace or add to the one in keycloak.
>
> I hope this clarifies it a little bit.
>

Ok, that makes sense now.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list