Re: [keycloak-dev] redirects vs. javascript logins

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, 26 July, 2013 9:48:55 AM Subject: Re: [keycloak-dev] redirects vs. javascript logins Yes, I don't know why I missed that. As you say login and logout has to be done through redirects as long as HttpOnly is set on the cookie. EventJuggler simply links to the login page, but logout is a XHR and as you say that would have to be a redirect as well. ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 25 July, 2013 5:57:56 PM > Subject: [keycloak-dev] redirects vs. javascript logins > > To do SSO, keycloak server sets a session cookie so that the user > doesn't have to relogin if the cookie is set. This will have issues > with the custom login, like the way the Event Juggler app works. > Correct me if I'm wrong, but for Event Juggler, the login page is hosted > at the Event Juggler website? And the app would do an HTTP invocation > to obtain the token, correct? > > The problem with this approach is that we wouldn't be able to set the > login session cookie as all cookies will be HttpOnly and not accessible > via javascript (due to security issues). So, SSO would not work, and > the user would have to relogin for each additional site they visited. > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev