[keycloak-user] Bearer token expiration question

[Bill Burke]

You're not missing something obvious.  We need to add refresh tokens 
that can be held by the HTTP session or the Javascript client so a new 
access token can be obtained.  There's also some work still to be done 
to smooth out Javascript only clients that are servered up via static pages.


On 1/28/2014 2:21 PM, Eric Wittmann wrote:
> First of all, Keycloak looks great - the alpha release is a very nice start!
>
> I have a question about bearer token expiration.  Take the included
> product portal example.  It is configured to use Keycloak for SSO, which
> allows the user to access the product listing page.  That listing page
> uses the current SkeletonKeySession's token as the Bearer token when
> invoking the database/products REST endpoint.  This makes sense to me,
> but one interesting thing happens - that token eventually times out.
> Once that happens all calls to the REST endpoint fail.
>
> Note that this occurs even if the user refreshes that product listing
> page.  The timeout is from login, not from the last activity (like an
> http session timeout would be).
>
> So in this scenario, how is the product page supposed to get a new token
> when the old one expires?
>
> This becomes even more relevant if the UI is not a JSP but is instead a
> JavaScript app (e.g. angular, GWT, etc).  I was thinking that I would
> need to pass the token to the client layer, which would then allow me to
> make authenticated REST calls directly from the Client/JavaScript layer
> to a REST API.  That would be a great separation, but obviously the user
> should not get logged out after N minutes despite actively using the app
> during that time.
>
> I'm probably missing something obvious... :)
>
> -Eric
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com