[keycloak-user] How to know when to get a refreshed bearer token
Hubert Przybysz
h.p.przybysz at gmail.com
Wed Jan 7 17:25:28 EST 2015
Thanks for the heads-up. I'll take a closer look at the javascript adapter.
FYI, I've found the k_query_bearer_token request quite useful for a web app
that uses a mix of server-side and javascript components.
On Wed, Jan 7, 2015 at 4:00 PM, Bill Burke <bburke at redhat.com> wrote:
> You probably should not be using the k_query_bearer_token request. I'm
> thinking of removing it because it is vulnerable to CSRF attacks. Instead
> use keycloak.js for javascript apps.
>
> On 1/7/2015 9:29 AM, Hubert Przybysz wrote:
>
>> The token is indeed updated automatically when it is requested. I was
>> rather wondering if there was a way to not have to request it prior to
>> each AJAX request. Currently, since the application does not know when
>> the token expires, it has to either get it prior to each AJAX request,
>> or try to use a possibly stale token and request it again when it gets a
>> 401 from the REST service. It would be nice to get information about
>> token expiry together with the token in response to k_query_bearer_token
>> request.
>>
>> On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> IIRC, if you're using the correct APIs (in Javascript or on the server
>> side), the token will be automatically updated for you when you
>> request it.
>>
>> On 1/7/2015 4:06 AM, Hubert Przybysz wrote:
>> > Hi,
>> >
>> > My jee web application uses its bearer token when issuing AJAX
>> requests
>> > to other REST services within the realm (but at different
>> origins). It
>> > does it by reading the exposed bearer token prior to making an AJAX
>> > request. Is there a mechanism by which the application may find
>> out when
>> > the bearer token is refreshed, to make it possible to read the
>> bearer
>> > token only when needed ?
>> >
>> > Br / Hubert.
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/5684a87a/attachment.html
More information about the keycloak-user
mailing list