[keycloak-user] How to know when to get a refreshed bearer token

Bill Burke bburke at redhat.com
Wed Jan 7 17:49:32 EST 2015


If your server-side components are all REST-based, I suggest using 
bearer token auth for them and obtaining the token via the keycloak.js 
adapter.  Again, k_query_bearer_token auth is vulnerable to CSRF right now.

On 1/7/2015 5:25 PM, Hubert Przybysz wrote:
> Thanks for the heads-up. I'll take a closer look at the javascript adapter.
>
> FYI, I've found the k_query_bearer_token request quite useful for a web
> app that uses a mix of server-side and javascript components.
>
> On Wed, Jan 7, 2015 at 4:00 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     You probably should not be using the k_query_bearer_token request.
>     I'm thinking of removing it because it is vulnerable to CSRF
>     attacks. Instead use keycloak.js for javascript apps.
>
>     On 1/7/2015 9:29 AM, Hubert Przybysz wrote:
>
>         The token is indeed updated automatically when it is requested.
>         I was
>         rather wondering if there was a way to not have to request it
>         prior to
>         each AJAX request. Currently, since the application does not
>         know when
>         the token expires, it has to either get it prior to each AJAX
>         request,
>         or try to use a possibly stale token and request it again when
>         it gets a
>         401 from the REST service. It would be nice to get information about
>         token expiry together with the token in response to
>         k_query_bearer_token
>         request.
>
>         On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>              IIRC, if you're using the correct APIs (in Javascript or on
>         the server
>              side), the token will be automatically updated for you when you
>              request it.
>
>              On 1/7/2015 4:06 AM, Hubert Przybysz wrote:
>               > Hi,
>               >
>               > My jee web application uses its bearer token when
>         issuing AJAX
>              requests
>               > to other REST services within the realm (but at different
>              origins). It
>               > does it by reading the exposed bearer token prior to
>         making an AJAX
>               > request. Is there a mechanism by which the application
>         may find
>              out when
>               > the bearer token is refreshed, to make it possible to
>         read the bearer
>               > token only when needed ?
>               >
>               > Br / Hubert.
>               >
>               >
>               > _________________________________________________
>               > keycloak-user mailing list
>               > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>               > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>               >
>
>              --
>              Bill Burke
>              JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>              _________________________________________________
>              keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list