[keycloak-dev] Adding notBefore to user?

Marek Posolda mposolda at redhat.com
Wed Aug 23 03:50:12 EDT 2017


Thanks for the confirm. Finally added that.

Marek

On 09/08/17 20:20, Bill Burke wrote:
> I think that works then what you are proposing.
>
>
> On 8/9/17 11:08 AM, Marek Posolda wrote:
>> I am thinking that logout of single concrete session won't update 
>> notBefore. Just "Logout all sessions" for concrete user will update 
>> it for this user. I assume that admin or user usually use "Logout 
>> all" if he thinks that something was broken (password compromised, 
>> mobile phone steal etc)?
>>
>> BTV. Admin console has support for logout of single session as well 
>> as logout all. However account management has support just for 
>> "logout all" ATM. Maybe something useful to add?
>>
>> Marek
>>
>> On 09/08/17 16:08, Bill Burke wrote:
>>> What if the user has multiple sessions and only wants to log out of 
>>> one?
>>>
>>>
>>> On 8/9/17 6:12 AM, Marek Posolda wrote:
>>>> I am thinking about adding notBefore to user. It will be updated when
>>>> user logouts in Account management or when admin logouts user in admin
>>>> console.
>>>>
>>>> I am thinking about this because in cross-dc environment, it can 
>>>> happen
>>>> under some circumstances that particular userSession "123" is not
>>>> available in infinispan cache on any Keycloak server, however it's
>>>> available on the remoteCache on JDG server. So it can happen that:
>>>> - Admin press "Logout all sessions", but session 123 won't be affected
>>>> as it's available just on remoteCache
>>>> - Someone (attacker) sends refresh token for session 123. It will be
>>>> loaded from remoteCache store to Keycloak cache and will be treated as
>>>> valid session.
>>>>
>>>> Do you think it's bad idea to add notBefore to user? There may be some
>>>> other ways to mitigate the issue if you think it's bad.
>>>>
>>>> I am thinking about adding it to separate table, so it's persistent
>>>> among server restarts even for users from federated user storages.
>>>> Something similar to like consents are saved. WDYT?
>>>>
>>>> Marek
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>



More information about the keycloak-dev mailing list