[keycloak-user] token vs cookie for clients

[Avinash Kundaliya]

Hi Bill,
This is exactly what i was trying to ask. It is good to know that the
client adapters manage the session itself.
Regarding the SSO with multiple apps, could you explain more about the
cookie from auth server's domain? maybe there is a documentation somewhere
that i can have a look at?

Thanks for the help.

Regards,
Avinash

On 29 March 2017 at 19:26, Bill Burke <bburke at redhat.com> wrote:

> Not sure I understand the question, but I can talk about how our client
> adapters work.
>
> For our Java client adapters, once the user is authenticated using OIDC
> protocol, the client adapter manages the session itself using
> traditional Servlet security.  The access token is used to obtain role
> mapping information.  If this web application needs to invoke on back
> ends, the access token is used to make secure invocations on these
> additinal back ends.
>
> FYI, for browser apps, you can't do SSO with multiple apps without a
> cookie from the auth server's domain.   This means you have to use one
> of the redirection protocols from OIDC or SAML.
>
>
> On 3/29/17 3:32 AM, Avinash Kundaliya wrote:
> > Hello,
> > I have a question that is more related to OAuth2 in general. If i am
> using
> > keycloak with a web application. The backend has the token, is it
> suggested
> > for the client to also communicate with the backend using the JWT or
> rather
> > manage its own session and cookies.
> > I think its better to manage own session and cookies, but also curious
> how
> > would single sign out work in those cases?
> > I hope this is quite a basic question and there are defined ways to
> > approach such issues.
> >
> > Thanks for all the help.
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
---
Avinash Kundaliya
avinash at avinash.com.np
http://avinash.com.np