[keycloak-dev] User Device Activity

Stian Thorgersen sthorger at redhat.com
Wed Aug 14 04:57:53 EDT 2019


This needs to be simplified and not over engineered.

What we need is a permanent cookie that can identify the browser/agent on a
specific device. IP address should not be considered as a way to identify a
browser/agent/device as it simply won't work (IP changes, devices move,
multiple devices share same IP).

Further, there should be no separate storing of "devices" on the server
side. This should simply be attached to the existing user sessions. Add as
a note to the authentication session when that is created and add to the
user session when it is initially created. If I don't remember incorrectly
we actually already have a persisted cookie to prevent creating multiple
sessions from the same browser. If remember me is not on there is a
separate session cookie that can be used to invalidate an old session when
a new one is created. This prevents creating multiple session from the same
browser/device.

With regards to history of already logged out sessions the simple way to
solve that is to allow sessions to live around for a while after they have
been invalidated or logged-out. That should be a configurable option on a
realm on how long a session should be kept in history.

With regards to device fingerprinting for sure there are techniques that
can fairly accurately identify a browser (using a hash of all information
available to client-side js). However, that is overkill for what we are
trying to achieve. The simpler approach mentioned above with a cookie is
more than sufficient. If a user clears the cookies of a browser it'll just
end up with being listed as two sessions/devices.

Finally, bear in mind that devices is just a different view on to sessions.
That means that all sessions for the user should be visible in the devices
page. Not just some separate list of devices.

On Fri, 9 Aug 2019 at 22:30, Pedro Igor Silva <psilva at redhat.com> wrote:

> On Fri, Aug 9, 2019 at 10:31 AM Marek Posolda <mposolda at redhat.com> wrote:
>
> > Not sure about the switch for device functionality. Maybe we can add it
> > later if there is a demand? Less switches is always good and removing
> > switches can be harder than adding them :)
> >
>
> I see your point, but this is something that you may not want to be enabled
> OOTB.
>
>
> >
> > IMO feedback from community will be interesting. I guess some people may
> > have issues that IP address won't work, because Keycloak is behind proxy
> > and admin don't have possibility to configure the proxy headers. Not
> > sure if such deployment, where administrator can't properly configure
> > proxy, exists and how much of them, but maybe some are...
> >
>
> I'm not sure too. A cookie/fingerprint approach to device identification
> will also help in this situation.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list