Re: [keycloak-dev] redirects vs. javascript logins
Yes, I don't know why I missed that. As you say login and logout has to be done
through redirects as long as HttpOnly is set on the cookie.
EventJuggler simply links to the login page, but logout is a XHR and as you say that would
have to be a redirect as well.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 25 July, 2013 5:57:56 PM
Subject: [keycloak-dev] redirects vs. javascript logins
To do SSO, keycloak server sets a session cookie so that the user
doesn't have to relogin if the cookie is set. This will have issues
with the custom login, like the way the Event Juggler app works.
Correct me if I'm wrong, but for Event Juggler, the login page is hosted
at the Event Juggler website? And the app would do an HTTP invocation
to obtain the token, correct?
The problem with this approach is that we wouldn't be able to set the
login session cookie as all cookies will be HttpOnly and not accessible
via javascript (due to security issues). So, SSO would not work, and
the user would have to relogin for each additional site they visited.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev