[keycloak-user] How to know when to get a refreshed bearer token

Hubert Przybysz h.p.przybysz at gmail.com
Tue Jan 13 02:52:30 EST 2015


Hi Bill,
When testing my app with the javascript adapter I have noticed that
keycloak.js gets confused when messages other than keycloak's get posted on
the window (from same origin). I made a quick fix by adding a
type="keycloak" to the data posted to the iframe and checking for that
value when the iframe sends it back. Other than that the adapter appears to
work just fine. Thanks again for pointing me in the right direction.
Br / Hubert.

On Wed, Jan 7, 2015 at 11:49 PM, Bill Burke <bburke at redhat.com> wrote:

> If your server-side components are all REST-based, I suggest using bearer
> token auth for them and obtaining the token via the keycloak.js adapter.
> Again, k_query_bearer_token auth is vulnerable to CSRF right now.
>
> On 1/7/2015 5:25 PM, Hubert Przybysz wrote:
>
>> Thanks for the heads-up. I'll take a closer look at the javascript
>> adapter.
>>
>> FYI, I've found the k_query_bearer_token request quite useful for a web
>> app that uses a mix of server-side and javascript components.
>>
>> On Wed, Jan 7, 2015 at 4:00 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     You probably should not be using the k_query_bearer_token request.
>>     I'm thinking of removing it because it is vulnerable to CSRF
>>     attacks. Instead use keycloak.js for javascript apps.
>>
>>     On 1/7/2015 9:29 AM, Hubert Przybysz wrote:
>>
>>         The token is indeed updated automatically when it is requested.
>>         I was
>>         rather wondering if there was a way to not have to request it
>>         prior to
>>         each AJAX request. Currently, since the application does not
>>         know when
>>         the token expires, it has to either get it prior to each AJAX
>>         request,
>>         or try to use a possibly stale token and request it again when
>>         it gets a
>>         401 from the REST service. It would be nice to get information
>> about
>>         token expiry together with the token in response to
>>         k_query_bearer_token
>>         request.
>>
>>         On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke <bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>              IIRC, if you're using the correct APIs (in Javascript or on
>>         the server
>>              side), the token will be automatically updated for you when
>> you
>>              request it.
>>
>>              On 1/7/2015 4:06 AM, Hubert Przybysz wrote:
>>               > Hi,
>>               >
>>               > My jee web application uses its bearer token when
>>         issuing AJAX
>>              requests
>>               > to other REST services within the realm (but at different
>>              origins). It
>>               > does it by reading the exposed bearer token prior to
>>         making an AJAX
>>               > request. Is there a mechanism by which the application
>>         may find
>>              out when
>>               > the bearer token is refreshed, to make it possible to
>>         read the bearer
>>               > token only when needed ?
>>               >
>>               > Br / Hubert.
>>               >
>>               >
>>               > _________________________________________________
>>               > keycloak-user mailing list
>>               > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>               > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>               >
>>
>>              --
>>              Bill Burke
>>              JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>              _________________________________________________
>>              keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150113/0691ed5c/attachment.html 


More information about the keycloak-user mailing list