[keycloak-user] Communication between Keycloak and Spring Security Adapter
Matt H
matt.inbox at outlook.com
Mon Sep 26 15:42:10 EDT 2016
Hi,
I'm trying to get a better understanding of the communication between Keycloak and spring security client applications. If I'm understanding the authentication/authorization flow, it would be something like:
1. User (or client application) login to application
2. Spring security redirects to Keycloak
3. Keycloak verifies user and creates a JWT
4. Redirects user with JWT back to application
5. Verifies JWT
6. Sends response to client
For step #5, verification: Does spring security verify the JWT locally, or is the token sent back to Keycloak for verification? I'm wondering how much "chatter" there is between Spring security and Keycloak for every request.
If a user already has a non-expired JWT, does it just do steps 5-6 until it expires? Once it expires, it requests a new JWT from Keycloak?
Thanks,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/6021beb6/attachment-0001.html
More information about the keycloak-user
mailing list