Hello,

 

We are in the process of securing our REST APIs using Keycloak. Please confirm our understanding of the following:

 

We have a use case where our web client may SIMULTANEOUSLY send several REST API calls (r1, r2,r3…) to our server using the Access Token (at1) and Refresh Token (rt1).

When r1 is being handled, assuming that at1 is expired, server-side adapter will be taking care of getting new tokens (at2, rt2). Is it safe to assume that r2 and r3 will get hold of at2 and rt2? If so, is it valid to conclude that the adapter is maintaining state for the token.

 

Thank You,

 

Mikhail Kuznetsov