[keycloak-dev] Improve "Logout all" for the realm?

Stian Thorgersen sthorger at redhat.com
Wed Jun 6 02:28:21 EDT 2018 

On 5 June 2018 at 22:13, Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> when you click on tab "Sessions", you can see the screen with the:
> - counts of Active Sessions
> - counts of Offline Sessions
> - Button "Logout All"
>
> See the screenshot how the screen currently looks like:
> https://pasteboard.co/HowNZ2I.png
>
> We have the JIRA https://issues.jboss.org/browse/KEYCLOAK-7055 and the
> PR with the discussion https://github.com/keycloak/keycloak/pull/5126 .
> In shortcut, JIRA and PR points few issues:
> 1) There is no way to logout all active sessions only (Keep the offline
> sessions)
>
> 2) There is no way to logout all offline sessions only (Keep the active
> sessions)
>
> 3) When you click on the button, there is no confirmation dialog. It
> seems that "Logout all" is quite an important step and confirmation
> should be there.
>
> 4) When you click on the button, it will do something between. All
> active sessions are cleared from infinispan, but offline sessions are
> NOT cleared. There is just realm notBefore policy updated, which
> indirectly invalidates the offline sessions, but they are still kept in
> infinispan and DB, which itself is a bug IMO.
>
> So how to address all the issues? I can see something like this:
> - Instead of 1 button, have 3 buttons (Logout all active sessions,
> Logout all offline sessions, Logout all)
>

Sounds good, but might look a bit messy with those long labels and 3
buttons. Do we need 3 buttons? Or is "Logout active" and "Logout offline"
sufficient? Do we have a better term for non-offline than active?


>
> - All the buttons will display confirmation dialog
>

+1


>
> - The "Logout all" will also update notBefore policy like it's done now.
> It will clear all the "Active" and "Offline" sessions from infinispan.
> This will be displayed in the confirmation dialog. So confirmation for
> "Logout all" will be like: "Do you want to logout all active sessions
> and offline sessions and update realm notBefore policy?" The other 2
> buttons won't update not-before policy (we can't do that unless we have
> separate not-before for active sessions and for offline sessions, but I
> vote to not do that considering the required complexity of this).
>

Should it also clear sessions from the DB?


>
> - The message for "Logout all" will be sent to all the clients with
> adminUrl (which is already done).
>
> One related issue is, that currently we don't have a way to notify
> client applications that offline sessions were invalidated. I was
> thinking if we could have a way to register some listener for various
> adapter events (Logout all, logout all active/offline sessions, logout
> single active/offline session)? Client application can listen to the
> events and do something (EG. remove saved offline token from it's DB).
>

I'm not to keen on more bespoke logout protocols. Have we studied the OIDC
backchannel/frontchannel specs yet? Is there a way to do this in a standard
way?


>
> WDYT?
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list