[keycloak-user] Clarification of use case: simultaneous requests with expired token

Marek Posolda mposolda at redhat.com
Fri Dec 12 05:32:53 EST 2014

On 11.12.2014 23:20, Kuznetsov, Mike wrote:
> Hello,
> We are in the process of securing our REST APIs using Keycloak. Please 
> confirm our understanding of the following:
> We have a use case where our web client may SIMULTANEOUSLY send 
> several REST API calls (r1, r2,r3…) to our server using the Access 
> Token (at1) and Refresh Token (rt1).
> When r1 is being handled, assuming that at1 is expired, server-side 
> adapter will be taking care of getting new tokens (at2, rt2). Is it 
> safe to assume that r2 and r3 will get hold of at2 and rt2? If so, is 
> it valid to conclude that the adapter is maintaining state for the token.
Your web client is servlet application secured by keycloak?

Actually it's the frontend application, which handles refreshing of 
tokens. You can take a look at our example, where frontend application 
is sending rest requests to backend application: 
. In this case when the code is calling:


the adapter will automatically handle refreshing the token (it checks if 
token is expired and automatically refresh if it is). So later you can 
use this accessToken to send parallel requests to your REST endpoints 
and it should be ok to assume that accessToken is not expired.

> Thank You,
> Mikhail Kuznetsov
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141212/2291e589/attachment.html 

More information about the keycloak-user mailing list