Re: [keycloak-user] WebSockets
On 08/10/2015 03:26 PM, Bill Burke wrote:
Once the WeBSocket is established there is
actually no reason to resend the token as the connection/socket remains
open. HTTP requests are different. They need to retransmit the token
because HTTP is connectionless and assumes every request is a different
connection. For browser apps, logout can be handled in the regular way
with keycloak.js. Non-browser apps can just rely on non-browser means.
All the server needs is a way to validate and unpack the token. Refresh
should be handled at the client side through keycloak.js or some other
oauth library. For bearer token auth, it is not the responsibility of
the server to manage the token.
Not sure I get it. Are you saying that my server endpoint should trust
that the client will close the connection once the token expires/is
invalidated?
- Juca.