On 3/31/2015 4:28 AM, Marek Posolda wrote:
On 31.3.2015 10:16, Sebastian Rose wrote:
>> That's actually related to the application session (kind of HttpSession
>> ID in web application secured by keycloak). We can add support for
>> changing application_session_state in refreshToken endpoint instead of
>> introducing separate endpoint. Will it be sufficient for your usecase?
>> Marek
> As Bastian already said...
> Thanks for your response. Yes, i think this would work for us.
>
> I will create a JIRA for that and contribute a change via pull request (if this is
fine for you)?
yep, thanks. There is some refactoring in latest master, you would need
to look at TokenEndpoint.buildRefreshToken now (TokenEndpoint is new
class, which didn't exist in 1.1.0.Final)
I'm not understanding what you want here. You are worried about an
attacker getting the HTTP session id of the application? You want the
HttpSession id to change 1) after login, 2) after refresh token? How
does this have anything to do with the auth server? Wouldn't this be an
adapter feature?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com