[keycloak-dev] redirects vs. javascript logins
Stian Thorgersen
stian at redhat.com
Fri Jul 26 04:48:55 EDT 2013
Yes, I don't know why I missed that. As you say login and logout has to be done through redirects as long as HttpOnly is set on the cookie.
EventJuggler simply links to the login page, but logout is a XHR and as you say that would have to be a redirect as well.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 25 July, 2013 5:57:56 PM
> Subject: [keycloak-dev] redirects vs. javascript logins
>
> To do SSO, keycloak server sets a session cookie so that the user
> doesn't have to relogin if the cookie is set. This will have issues
> with the custom login, like the way the Event Juggler app works.
> Correct me if I'm wrong, but for Event Juggler, the login page is hosted
> at the Event Juggler website? And the app would do an HTTP invocation
> to obtain the token, correct?
>
> The problem with this approach is that we wouldn't be able to set the
> login session cookie as all cookies will be HttpOnly and not accessible
> via javascript (due to security issues). So, SSO would not work, and
> the user would have to relogin for each additional site they visited.
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list