You can't force the browser to send a header so using a cookie is the only
way for a server-side web app
On 20 December 2016 at 19:28, Matt H <tsdgcc2087(a)outlook.com> wrote:
It is a spring boot application, so server side. Is there any way
to
change it to force a token to be sent on each call?
------------------------------
*From:* Stian Thorgersen <sthorger(a)redhat.com>
*Sent:* Monday, December 19, 2016 2:22 AM
*To:* Matt H
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Sessions vs Tokens
Depends on the app type. If it's a server-side web application it's
secured with a cookie, but if it's a client-side application or a remote
service it's secured by passing the token.
On 14 December 2016 at 20:18, Matt H <tsdgcc2087(a)outlook.com> wrote:
> I'm not sure how best to describe this but I have seen times when I
> called a secured endpoint (secured with spring security adapter) but a
> token was not passed and I was able to gain access. The first time I went
> to a secured endpoint I had to log into keycloak to authenticate, but then
> on each request, only a session id was passed and no JWT. Is this the
> standard behavior? If there is no JWT, where are the claims read from?
>
>
> Matt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>