[keycloak-dev] application session state update
Bill Burke
bburke at redhat.com
Tue Mar 31 10:12:55 EDT 2015
On 3/31/2015 4:28 AM, Marek Posolda wrote:
> On 31.3.2015 10:16, Sebastian Rose wrote:
>>> That's actually related to the application session (kind of HttpSession
>>> ID in web application secured by keycloak). We can add support for
>>> changing application_session_state in refreshToken endpoint instead of
>>> introducing separate endpoint. Will it be sufficient for your usecase?
>>> Marek
>> As Bastian already said...
>> Thanks for your response. Yes, i think this would work for us.
>>
>> I will create a JIRA for that and contribute a change via pull request (if this is fine for you)?
> yep, thanks. There is some refactoring in latest master, you would need
> to look at TokenEndpoint.buildRefreshToken now (TokenEndpoint is new
> class, which didn't exist in 1.1.0.Final)
>
I'm not understanding what you want here. You are worried about an
attacker getting the HTTP session id of the application? You want the
HttpSession id to change 1) after login, 2) after refresh token? How
does this have anything to do with the auth server? Wouldn't this be an
adapter feature?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list