+
Skip to content

UserSessionProvider.removeUserSessions now removes all user sessions … #34350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 29, 2024
Merged

UserSessionProvider.removeUserSessions now removes all user sessions … #34350

merged 1 commit into from
Nov 29, 2024

Conversation

sguilhen
Copy link
Contributor

…(both online and offline)

Closes #31359

@sguilhen sguilhen requested review from a team as code owners October 25, 2024 16:25
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Oct 25, 2024
Closed
@ahus1
Copy link
Contributor

ahus1 commented Oct 29, 2024

IMHO this should be listed in the upgrading guide so people have a chance to learn about this changed behavior.

pedroigor
pedroigor previously approved these changes Oct 29, 2024
View reviewed changes
Copy link
Contributor

@pedroigor pedroigor left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ahus1 @mposolda Would you mind also reviewing it?

A related, but follow-up, issue would be to change the session expiration job to consider invalidations using a notBefore timestamp. Today we only rely on the session lifetime and last refresh.

@sguilhen
Copy link
Contributor Author

IMHO this should be listed in the upgrading guide so people have a chance to learn about this changed behavior.

I'm not entirely sure we should move on with this - looking at the code, the general assumption of implementations for this method is that only regular sessions are to be removed.

We should perhaps keep it that way and introduce a removeAllUserSessions - problem is how to do that without breaking API compatibility. The provider has no equivalent method for removing all offline sessions, which prevents me from adding a default removeAllUserSessions impl that would simply call the existing removeUserSessions and the missing removeOfflineUserSessions(RealmModel realm).

Also, there's no method to retrieve all offline sessions of a realm (only by client or user), so I can't even have a naive default impl for this removeAllUserSessions that would call the removeUserSessions and then iterate over all offline sessions removing them one by one.

So bottom line is that I haven't found a good way to introduce a default method for removing all sessions without breaking API compatibility.

@pedroigor
Copy link
Contributor

pedroigor commented Oct 29, 2024
edited
Loading

So bottom line is that I haven't found a good way to introduce a default method for removing all sessions without breaking API compatibility.

I don't think we need to worry about backward compatibility in this case. Effectively, sessions are invalidated already we are just making sure they are removed despite their type (offline vs online).

But still, a note in release notes make sense.

@sguilhen
Copy link
Contributor Author

I've sent another PR with a slightly different strategy - #34449

It should preserve the API compatibility and it also the semantics of the existing removeUserSessions(RealmModel realm) method in UserSessionProvider

@sguilhen sguilhen force-pushed the 31359-remove-offline-sessions branch from 4ea5e7b to 3a8b6ec Compare November 26, 2024 14:50
@sguilhen sguilhen mentioned this pull request Nov 26, 2024
Closed
@sguilhen sguilhen force-pushed the 31359-remove-offline-sessions branch 4 times, most recently from badf042 to 41646de Compare November 27, 2024 12:17
pedroigor
pedroigor previously approved these changes Nov 29, 2024
View reviewed changes
@sguilhen
UserSessionProvider.removeUserSessions now removes all user sessions …
7b69c0a 
…(both regular and offline)

Closes keycloak#31359

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
@sguilhen sguilhen force-pushed the 31359-remove-offline-sessions branch 2 times, most recently from 7f57c85 to 7b69c0a Compare November 29, 2024 14:47
@pedroigor pedroigor mentioned this pull request Nov 29, 2024
Closed
@pedroigor pedroigor enabled auto-merge (rebase) November 29, 2024 14:56
@pedroigor pedroigor merged commit 9861acc into keycloak:main Nov 29, 2024
73 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pedroigor pedroigor pedroigor approved these changes

Assignees

No one assigned

Labels

flaky-test team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Offline sessions are not removed from admin console after sign out all active sessions

3 participants

@sguilhen @ahus1 @pedroigor
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载