[keycloak-dev] Admin API: Delete session id

Stian Thorgersen sthorger at redhat.com
Mon Jun 25 06:05:20 EDT 2018


Hi,

Please use the user mailing list for questions and help.

On Mon, 25 Jun 2018 at 09:57, Eivind Larsen <eivind at jotta.no> wrote:

> Hi Keycloak Devs!
>
> In the admin API there is a call to delete a session by ID:
>
> DELETE /{realm}/sessions/{session_id}
>
> This works for user (online) sessions, but when given the session ID of an
> offline session, it gives 404 error and nothing is deleted.
>
> Seeing as this is the only way to delete a given as session by id,
> I would expect the call to work for offline sessions as well,
> ideally deleting both the user session and the offline session by this id.
>
> What do you think?
>
> Is there an alternative way to delete an offline session by id?
>
> I think it would be more useful if this call was scoped per user.
> Currently you have to load all user sessions, verify that this session ID
> is indeed owned by the user, then call delete. Scoping per user would make
> it impossible to delete a wrong user's session, and it would reduce
> requests to the keycloak instance.
>
> Best Regards,
> Eivind Larsen
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list