You probably should not be using the k_query_bearer_token request. I'm thinking of removing it because it is vulnerable to CSRF attacks. Instead use keycloak.js for javascript apps.
On 1/7/2015 9:29 AM, Hubert Przybysz wrote:
The token is indeed updated automatically when it is requested. I was
rather wondering if there was a way to not have to request it prior to
each AJAX request. Currently, since the application does not know when
the token expires, it has to either get it prior to each AJAX request,
or try to use a possibly stale token and request it again when it gets a
401 from the REST service. It would be nice to get information about
token expiry together with the token in response to k_query_bearer_token
request.
On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke <bburke@redhat.com
<mailto:bburke@redhat.com>> wrote:
IIRC, if you're using the correct APIs (in Javascript or on the server
side), the token will be automatically updated for you when you
request it.
On 1/7/2015 4:06 AM, Hubert Przybysz wrote:
> Hi,
>
> My jee web application uses its bearer token when issuing AJAX
requests
> to other REST services within the realm (but at different
origins). It
> does it by reading the exposed bearer token prior to making an AJAX
> request. Is there a mechanism by which the application may find
out when
> the bearer token is refreshed, to make it possible to read the bearer
> token only when needed ?
>
> Br / Hubert.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user