[keycloak-user] web and mobile behavior with logout/pw change

Stian Thorgersen sthorger at redhat.com
Fri Mar 18 08:21:58 EDT 2016


On 14 Mar 2016 15:42, "Seann Ives" <sives at paintnite.com> wrote:
>
> Hello,
>
> Our web application has a standard keycloak integration.  Our mobile app
is currently using keycloak direct access grants.  I've got a few questions
about expected behavior when a user has overlapping usage of both web and
mobile which I'm hoping somewhere here can kindly answer.
>
> 1. A user logs in to the mobile app and gets a JWT and a refresh token.
The user then logs in to the web app (via KC) and then logs out of the web
app (via KC).  Should the mobile refresh token then be able to successfully
refresh the mobile JWT access token against KC, or does the web logout
'invalidate' the mobile refresh token?

Logout only invalidates one session. Since you have a mobile app with
direct grant and a separate web app they have separate sessions.

>
> 2. Similar scenario but the web user changes their password instead of
logging out:
> A user logs in to the mobile app and gets a JWT and a refresh token.  The
user then logs in to the web app and then changes their password (through
KC).  Should the mobile refresh token (created with the old password) then
be able to successfully refresh the mobile JWT access token, or does the
web logout 'invalidate' the mobile refresh token?

All sessions except the session changing the password are logged out. So
the mobile refresh token should be invalid.

>
>
> Would the behavior in either of those cases be different if our mobile
app used a webview redirecting to the KC server instead of using direct
access grants?

Yes/no. If you use an embedded webview it has its own cookies and doesn't
have access to the system browser cookies. So there's two separate
sessions. I'd still use webview though and not direct grant. A much better
option is to use an embedded system browser tab as it actually allows
having one session between multiple mobile apps and system browser. I've
got no clue how to do that though, I just read that's the proper way to do
it.

>
> Thanks very much!
> Seann Ives
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/c06e8d2e/attachment.html 


More information about the keycloak-user mailing list