Re: [keycloak-user] token vs cookie for clients

Hi Bill, This is exactly what i was trying to ask. It is good to know that the client adapters manage the session itself. Regarding the SSO with multiple apps, could you explain more about the cookie from auth server's domain? maybe there is a documentation somewhere that i can have a look at? Thanks for the help. Regards, Avinash On 29 March 2017 at 19:26, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: Not sure I understand the question, but I can talk about how our client adapters work. For our Java client adapters, once the user is authenticated using OIDC protocol, the client adapter manages the session itself using traditional Servlet security. The access token is used to obtain role mapping information. If this web application needs to invoke on back ends, the access token is used to make secure invocations on these additinal back ends. FYI, for browser apps, you can't do SSO with multiple apps without a cookie from the auth server's domain. This means you have to use one of the redirection protocols from OIDC or SAML. On 3/29/17 3:32 AM, Avinash Kundaliya wrote: > Hello, > I have a question that is more related to OAuth2 in general. If i am using > keycloak with a web application. The backend has the token, is it suggested > for the client to also communicate with the backend using the JWT or rather > manage its own session and cookies. > I think its better to manage own session and cookies, but also curious how > would single sign out work in those cases? > I hope this is quite a basic question and there are defined ways to > approach such issues. > > Thanks for all the help. > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> -- --- Avinash Kundaliya avinash(a)avinash.com.np <mailto:avinash@avinash.com.np> http://avinash.com.np