<div dir="ltr">The redirect dance it a bit more complex as I am in a GWT application.<div>However thanks for the feedback.</div><div>In most cases redirecting to login page will be easy enough, it is just during editing that things may get tricky</div><div><br></div><div>Chris </div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Aug 26, 2016 at 10:09 AM Stian Thorgersen <<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">If you're adding new roles the refresh token will continue to work, but won't get new roles. If you're removing roles the refresh token won't be permitted anymore.<div><br></div><div>You don't need to re-login though. Just discard the refresh token, do the redirect dance to Keycloak again and you'll get a new client session under the existing user session so the user won't have to re-authenticate, but you'll have your new refresh token with updates roles.</div></div><div class="gmail_extra"><br><div class="gmail_quote"></div></div><div class="gmail_extra"><div class="gmail_quote">On 20 August 2016 at 09:52, Christopher Davies <span dir="ltr"><<a href="mailto:christopher.james.davies@gmail.com" target="_blank">christopher.james.davies@gmail.com</a>></span> wrote:<br></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I adding keycloak into a legacy application that uses GWT and Jetty.<div>I have managed to get add Keycloak application using Spring-security.</div><div>Because this is GWT I am doing the authorisation in the application myself.</div><div>Sping just provides a way to get access to the KeycloakSecurityContext.</div><div><br></div><div>The issue I have is refreshing the token. I can get hold of a RefreshableKeycloakSecurityContext instance</div><div>and use that to get a refresh token. What surprised me is that I cannot refresh a token if the roles have changed.</div><div>Is this correct. I was hoping that the application could notice the role changes and adapt itself on the fly.</div><div><br></div><div>I do not want to have to logout to get the new roles it at all possible. Is there something that I have overlooked that will allow</div><div>me to use the idToken to get a new accessToken given that the authentication of the user is still valid, it is just the roles the user is in that have changed.</div><div><br></div><div><br></div><div>Thanks</div><div><br></div><div>Chris</div><div><br></div></div>
<br></blockquote></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div>