Possibility to revoke sessions when using client storage
cantor.2 at osu.edu
Fri Mar 30 12:03:27 EDT 2018
> This could be problematic for longlived sessions. Shall I submit a feature
> request for this?
I think it's up to applications to do authz and not rely on authentication, but like anything else it's just a matter of finding time. With the IdP I think it's just not that big a deal to roll the keys and invalidate everybody. All that does is cause people to have to login the next time they interact. Not really that big a deal in practice.
More information about the users