On 11/10/2014 9:48 AM, Davide Ungari wrote:
Hi,
following some of your suggestions I designed an application composed of a:
1- frontend web application
2- backend REST API
What is your frontend web app? Javascript (GWT or Angular JS or jQuery)?
The frontend has a servlet-proxy to the backend REST API to avoid
cross
domain problems.
Take a look at the CORS spec and also Keycloak's support for it. You
don't need a servlet proxy.
The backend has a bearer-only configuration.
Everything is working until the token does not expire, I tried to force
refresh when I recieve 401 status but it does not work.
Do you mean everything works until the token expires?
What is supposed to be done every time the access tokes expires?
Whoever obtained the access token is responsible for refreshing it. If
your web application is a Javascript app, then you can use the
keycloak.js library which will handle refreshing tokens. Combine this
with CORS if you need to invoke backend REST services that are on
another domain. There's a few examples in the distro that show how to
do this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com