Possibility to revoke sessions when using client storage

Cantor, Scott cantor.2 at osu.edu
Fri Mar 30 12:03:27 EDT 2018

> This could be problematic for longlived sessions. Shall I submit a feature
> request for this?

I think it's up to applications to do authz and not rely on authentication, but like anything else it's just a matter of finding time. With the IdP I think it's just not that big a deal to roll the keys and invalidate everybody. All that does is cause people to have to login the next time they interact. Not really that big a deal in practice.

-- Scott

More information about the users mailing list