Few tips:
- If you enable "Remember me" for the realm, the KEYCLOAK_IDENTITY
cookie won't be cleared at the end of browser session.
- There is callback "onTokenExpired", which you can use in keycloak.js
adapter when the accessToken is expired. You will be redirected back to
Keycloak server and re-logged with SSO (as long as KEYCLOAK_IDENTITY is
still valid).
The approach with "token" may work, but I would personally use the
approach with shorter token timeouts and redirect to the SSO, assuming
that rememberMe will work. This has some downsides (redirect to the
Keycloak needed periodically, rememberMe available), so not sure if it
works for you. If you want the approach with "token", you may need to
disable session iframe in that case (as the SSO session on Keycloak side
may not be longer valid after browser restart).
Marek
Dne 4.2.2018 v 14:48 Ori Doolman napsal(a):
Hi,
My web application is using the Keycloak JS adapter, and I'm using the
'implicit' flow for getting the access token.
I have a requirement to prevent the user from keying again passwords for 24 hours
(assuming the token is expired after 24 hours), even after browser is closed and
re-opened.
There is a cookie called 'KEYCLOAK_IDENTITY', which I assume preserve the login
state, but it is a session cookie and it is deleted after closing the browser window.
I also see that in the initOptions of the adapter, I can pass an existing access token by
the 'token' property. Hence, I was thinking to persist the 24hours access token
into localStorage and then read it and pass as part of initOptions to the adapter when my
application starts.
However, I cannot make it work and I'm not even sure this is possible to do so.
Is it possible to use the 'token' initOption like that?
If not, is there a recommended approach for implementing such requirement ?
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
[cid:image001.png@01D2C8DE.BFF33E10]
This message and the information contained herein is proprietary and confidential and
subject to the Amdocs policy statement,
you may review at
https://www.amdocs.com/about/email-disclaimer
<
https://www.amdocs.com/about/email-disclaimer>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user