[keycloak-dev] Improve "Logout all" for the realm?

Sebastien Blanc sblanc at redhat.com
Wed Jun 6 03:07:26 EDT 2018 

On Wed, Jun 6, 2018 at 8:28 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> On 5 June 2018 at 22:13, Marek Posolda <mposolda at redhat.com> wrote:
>
> > Hi,
> >
> > when you click on tab "Sessions", you can see the screen with the:
> > - counts of Active Sessions
> > - counts of Offline Sessions
> > - Button "Logout All"
> >
> > See the screenshot how the screen currently looks like:
> > https://pasteboard.co/HowNZ2I.png
> >
> > We have the JIRA https://issues.jboss.org/browse/KEYCLOAK-7055 and the
> > PR with the discussion https://github.com/keycloak/keycloak/pull/5126 .
> > In shortcut, JIRA and PR points few issues:
> > 1) There is no way to logout all active sessions only (Keep the offline
> > sessions)
> >
> > 2) There is no way to logout all offline sessions only (Keep the active
> > sessions)
> >
> > 3) When you click on the button, there is no confirmation dialog. It
> > seems that "Logout all" is quite an important step and confirmation
> > should be there.
> >
> > 4) When you click on the button, it will do something between. All
> > active sessions are cleared from infinispan, but offline sessions are
> > NOT cleared. There is just realm notBefore policy updated, which
> > indirectly invalidates the offline sessions, but they are still kept in
> > infinispan and DB, which itself is a bug IMO.
> >
> > So how to address all the issues? I can see something like this:
> > - Instead of 1 button, have 3 buttons (Logout all active sessions,
> > Logout all offline sessions, Logout all)
> >
>
> Sounds good, but might look a bit messy with those long labels and 3
> buttons. Do we need 3 buttons? Or is "Logout active" and "Logout offline"
> sufficient? Do we have a better term for non-offline than active?
>
>
> >
> > - All the buttons will display confirmation dialog
> >
>
> +1
>
>
> >
> > - The "Logout all" will also update notBefore policy like it's done now.
> > It will clear all the "Active" and "Offline" sessions from infinispan.
> > This will be displayed in the confirmation dialog. So confirmation for
> > "Logout all" will be like: "Do you want to logout all active sessions
> > and offline sessions and update realm notBefore policy?" The other 2
> > buttons won't update not-before policy (we can't do that unless we have
> > separate not-before for active sessions and for offline sessions, but I
> > vote to not do that considering the required complexity of this).
> >
>
> Should it also clear sessions from the DB?
>
>
> >
> > - The message for "Logout all" will be sent to all the clients with
> > adminUrl (which is already done).
> >
> > One related issue is, that currently we don't have a way to notify
> > client applications that offline sessions were invalidated. I was
> > thinking if we could have a way to register some listener for various
> > adapter events (Logout all, logout all active/offline sessions, logout
> > single active/offline session)? Client application can listen to the
> > events and do something (EG. remove saved offline token from it's DB).
> >
>
> I'm not to keen on more bespoke logout protocols. Have we studied the OIDC
> backchannel/frontchannel specs yet? Is there a way to do this in a standard
> way?
>
Apparently even the spec is not clear about this, the suggest that they
should be a "signal" (a particular claim ?) to indicate if the offline
should be revoked as well.

"Refresh tokens issued with the offline_access property normally SHOULD NOT
be revoked. NOTE: An open issue for the specification is whether to define
an additional optional parameter in the logout token, probably as a value
in the event-specific parameters JSON object, that explicitly signals that
offline_access refresh tokens are also to be revoked."
http://openid.net/specs/openid-connect-backchannel-1_0.html#Backchannel

BTW , are we currently using a Logout Token as specified in the specs ?


>
> >
> > WDYT?
> > Marek
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list