[keycloak-dev] Adding notBefore to user?

Marek Posolda mposolda at redhat.com
Wed Aug 9 06:12:54 EDT 2017


I am thinking about adding notBefore to user. It will be updated when 
user logouts in Account management or when admin logouts user in admin 
console.

I am thinking about this because in cross-dc environment, it can happen 
under some circumstances that particular userSession "123" is not 
available in infinispan cache on any Keycloak server, however it's 
available on the remoteCache on JDG server. So it can happen that:
- Admin press "Logout all sessions", but session 123 won't be affected 
as it's available just on remoteCache
- Someone (attacker) sends refresh token for session 123. It will be 
loaded from remoteCache store to Keycloak cache and will be treated as 
valid session.

Do you think it's bad idea to add notBefore to user? There may be some 
other ways to mitigate the issue if you think it's bad.

I am thinking about adding it to separate table, so it's persistent 
among server restarts even for users from federated user storages. 
Something similar to like consents are saved. WDYT?

Marek



More information about the keycloak-dev mailing list