On 14 Mar 2016 15:42, "Seann Ives" <sives@paintnite.com> wrote:
>
> Hello,
>
> Our web application has a standard keycloak integration.  Our mobile app is currently using keycloak direct access grants.  I've got a few questions about expected behavior when a user has overlapping usage of both web and mobile which I'm hoping somewhere here can kindly answer.
>
> 1. A user logs in to the mobile app and gets a JWT and a refresh token.  The user then logs in to the web app (via KC) and then logs out of the web app (via KC).  Should the mobile refresh token then be able to successfully refresh the mobile JWT access token against KC, or does the web logout 'invalidate' the mobile refresh token?

Logout only invalidates one session. Since you have a mobile app with direct grant and a separate web app they have separate sessions.

>
> 2. Similar scenario but the web user changes their password instead of logging out:
> A user logs in to the mobile app and gets a JWT and a refresh token.  The user then logs in to the web app and then changes their password (through KC).  Should the mobile refresh token (created with the old password) then be able to successfully refresh the mobile JWT access token, or does the web logout 'invalidate' the mobile refresh token?

All sessions except the session changing the password are logged out. So the mobile refresh token should be invalid.

>
>
> Would the behavior in either of those cases be different if our mobile app used a webview redirecting to the KC server instead of using direct access grants?

Yes/no. If you use an embedded webview it has its own cookies and doesn't have access to the system browser cookies. So there's two separate sessions. I'd still use webview though and not direct grant. A much better option is to use an embedded system browser tab as it actually allows having one session between multiple mobile apps and system browser. I've got no clue how to do that though, I just read that's the proper way to do it.

>
> Thanks very much!
> Seann Ives
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user