[keycloak-user] WebSockets

Juraci Paixão Kröhling juraci at kroehling.de
Mon Aug 10 09:48:42 EDT 2015


On 08/10/2015 03:26 PM, Bill Burke wrote:
> Once the WeBSocket is established there is
> actually no reason to resend the token as the connection/socket remains
> open.  HTTP requests are different.  They need to retransmit the token
> because HTTP is connectionless and assumes every request is a different
> connection. For browser apps, logout can be handled in the regular way
> with keycloak.js.  Non-browser apps can just rely on non-browser means.
>
> All the server needs is a way to validate and unpack the token.  Refresh
> should be handled at the client side through keycloak.js or some other
> oauth library.  For bearer token auth, it is  not the responsibility of
> the server to manage the token.

Not sure I get it. Are you saying that my server endpoint should trust 
that the client will close the connection once the token expires/is 
invalidated?

- Juca.



More information about the keycloak-user mailing list