On 11.12.2014 23:20, Kuznetsov, Mike wrote:

Hello,

We are in the process of securing our REST APIs using Keycloak. Please confirm our understanding of the following:

We have a use case where our web client may SIMULTANEOUSLY send several REST API calls (r1, r2,r3…) to our server using the Access Token (at1) and Refresh Token (rt1).

When r1 is being handled, assuming that at1 is expired, server-side adapter will be taking care of getting new tokens (at2, rt2). Is it safe to assume that r2 and r3 will get hold of at2 and rt2? If so, is it valid to conclude that the adapter is maintaining state for the token.

Your web client is servlet application secured by keycloak?

Actually it's the frontend application, which handles refreshing of tokens. You can take a look at our example, where frontend application is sending rest requests to backend application: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54 . In this case when the code is calling:

session.getTokenString()

the adapter will automatically handle refreshing the token (it checks if token is expired and automatically refresh if it is). So later you can use this accessToken to send parallel requests to your REST endpoints and it should be ok to assume that accessToken is not expired.

Marek

Thank You,

Mikhail Kuznetsov

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user