First of all, Keycloak looks great - the alpha release is a very nice start!
I have a question about bearer token expiration. Take the included
product portal example. It is configured to use Keycloak for SSO, which
allows the user to access the product listing page. That listing page
uses the current SkeletonKeySession's token as the Bearer token when
invoking the database/products REST endpoint. This makes sense to me,
but one interesting thing happens - that token eventually times out.
Once that happens all calls to the REST endpoint fail.
Note that this occurs even if the user refreshes that product listing
page. The timeout is from login, not from the last activity (like an
http session timeout would be).
So in this scenario, how is the product page supposed to get a new token
when the old one expires?
This becomes even more relevant if the UI is not a JSP but is instead a
JavaScript app (e.g. angular, GWT, etc). I was thinking that I would
need to pass the token to the client layer, which would then allow me to
make authenticated REST calls directly from the Client/JavaScript layer
to a REST API. That would be a great separation, but obviously the user
should not get logged out after N minutes despite actively using the app
during that time.
I'm probably missing something obvious... :)
-Eric