<div dir="ltr"><div><div><div>Following up my own post, a similar enough question was posted a few years ago here: <a href="http://lists.jboss.org/pipermail/keycloak-user/2014-November/001145.html">http://lists.jboss.org/pipermail/keycloak-user/2014-November/001145.html</a> which resulted in the creation of the jira issue here: <a href="https://issues.jboss.org/browse/KEYCLOAK-825">https://issues.jboss.org/browse/KEYCLOAK-825</a><br><br></div>What was the outcome of that jira ticket? I signed up to the jboss dev community in hopes I could check on my own but it appears I don't have perms.<br><br></div>Thanks!<br></div>Seann<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 14, 2016 at 10:40 AM, Seann Ives <span dir="ltr"><<a href="mailto:sives@paintnite.com" target="_blank">sives@paintnite.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hello,<br><br></div>Our web application has a standard keycloak integration. Our mobile app is currently using keycloak direct access grants. I've got a few questions about expected behavior when a user has overlapping usage of both web and mobile which I'm hoping somewhere here can kindly answer.<br><br></div>1. A user logs in to the mobile app and gets a JWT and a refresh token. The user then logs in to the web app (via KC) and then logs out of the web app (via KC). Should the mobile refresh token then be able to successfully refresh the mobile JWT access token against KC, or does the web logout 'invalidate' the mobile refresh token?<br><br></div><div>2. Similar scenario but the web user changes their password instead of logging out:<br>A user logs in to the mobile app and gets a JWT and a refresh token.
The user then logs in to the web app and then changes their password (through KC).
Should the mobile refresh token (created with the old password) then be able to successfully refresh the mobile
JWT access token, or does the web logout 'invalidate' the mobile
refresh token?<br><br><br></div><div>Would the behavior in either of those cases be different if our mobile app used a webview redirecting to the KC server instead of using direct access grants?<br><br></div><div>Thanks very much!<span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888"><div>Seann Ives<br><br></div></font></span></div>
</blockquote></div><br></div>