Re: [keycloak-user] token vs cookie for clients

Not sure I understand the question, but I can talk about how our client adapters work. For our Java client adapters, once the user is authenticated using OIDC protocol, the client adapter manages the session itself using traditional Servlet security. The access token is used to obtain role mapping information. If this web application needs to invoke on back ends, the access token is used to make secure invocations on these additinal back ends. FYI, for browser apps, you can't do SSO with multiple apps without a cookie from the auth server's domain. This means you have to use one of the redirection protocols from OIDC or SAML. On 3/29/17 3:32 AM, Avinash Kundaliya wrote: > Hello, > I have a question that is more related to OAuth2 in general. If i am using > keycloak with a web application. The backend has the token, is it suggested > for the client to also communicate with the backend using the JWT or rather > manage its own session and cookies. > I think its better to manage own session and cookies, but also curious how > would single sign out work in those cases? > I hope this is quite a basic question and there are defined ways to > approach such issues. > > Thanks for all the help. > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user