<div dir="ltr">Thanks for the heads-up. I'll take a closer look at the javascript adapter.<div><br></div><div>FYI, I've found the <span style="font-size:13px">k_query_bearer_token request quite useful for a web app that uses a mix of server-side and javascript components.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 7, 2015 at 4:00 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You probably should not be using the k_query_bearer_token request. I'm thinking of removing it because it is vulnerable to CSRF attacks. Instead use keycloak.js for javascript apps.<span class=""><br>
<br>
On 1/7/2015 9:29 AM, Hubert Przybysz wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
The token is indeed updated automatically when it is requested. I was<br>
rather wondering if there was a way to not have to request it prior to<br>
each AJAX request. Currently, since the application does not know when<br>
the token expires, it has to either get it prior to each AJAX request,<br>
or try to use a possibly stale token and request it again when it gets a<br>
401 from the REST service. It would be nice to get information about<br>
token expiry together with the token in response to k_query_bearer_token<br>
request.<br>
<br>
On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br></span><span class="">
<mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>> wrote:<br>
<br>
IIRC, if you're using the correct APIs (in Javascript or on the server<br>
side), the token will be automatically updated for you when you<br>
request it.<br>
<br>
On 1/7/2015 4:06 AM, Hubert Przybysz wrote:<br>
> Hi,<br>
><br>
> My jee web application uses its bearer token when issuing AJAX<br>
requests<br>
> to other REST services within the realm (but at different<br>
origins). It<br>
> does it by reading the exposed bearer token prior to making an AJAX<br>
> request. Is there a mechanism by which the application may find<br>
out when<br>
> the bearer token is refreshed, to make it possible to read the bearer<br>
> token only when needed ?<br>
><br>
> Br / Hubert.<br>
><br>
><br>
> ______________________________<u></u>_________________<br>
> keycloak-user mailing list<br></span>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><span class=""><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
______________________________<u></u>_________________<br>
keycloak-user mailing list<br></span>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.<u></u>jboss.org</a>><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-user</a><br>
<br>
<br>
</blockquote><div class="HOEnZb"><div class="h5">
<br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
</div></div></blockquote></div><br></div>