[keycloak-dev] Keycloak session limiting (KEYCLOAK-849) (BA-93)
Mauro de Wit
maurodewit at gmail.com
Tue Mar 12 04:26:12 EDT 2019
Hello,
I am sending this e-mail because I have some questions regarding the
enhancement request that enables configurable session limiting in Keycloak
as discussed here:
https://issues.jboss.org/browse/KEYCLOAK-849 (The developer that Marc Wijma
referred to in his comment as being available for this task is me btw :))
In the comments a solution is proposed that makes use of a custom
Authenticator that is dropped into the authentication flow where it can be
configured. While I can see the benefit of leveraging the existing
components as much as possible (including the configuration options in that
flow), I am wondering if this is the best solution. As far as I can tell,
this component is not performing any authentication at all. Moreover this
functionality operates 'above' the authentication mechanisms and should
apply to all of them.
So is an Authenticator really the desired place to implement this? Or is
this just the quickest route, while not being the most desirable option for
the long term? What would be an alternative approach be? That would place
this implementation and configuration in the existing Session configuration
code for instance.
I just now started investigating this task and looking into the options
that would meet our requirements. Hope to hear from you.
Regards
Mauro
>
More information about the keycloak-dev
mailing list