Hi all, Will be happy for help. I have tried to search but without success. Can not find details here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/ss... Best regards, Michael ________________________________ From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; on behalf of Michael Furman <michael_furman(a)hotmail.com&gt; Sent: Thursday, December 15, 2016 10:08 PM To: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Hi, Additional question: according to my understanding in case a user works (performs http requests) on some client the Refresh Token HTTP request comes to other OIDC clients. In case a user does not work on any client the Refresh Token HTTP request does not appear at all. Will happy for the confirmation. Michael On Dec 15, 2016 7:26 PM, Michael Furman <michael_furman(a)hotmail.com&gt; wrote: Hi, We use the SpringSecurity adapter. I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter. Can you tell me the URI of the Refresh Token HTTP request for Java Adapters? Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...

Hi Sebastien, Thank you for your help! I need to clarify my questions. According to my understanding Keycloak handles the full SSO. For example I have 2 OIDC clients (SpringSecurity adapters) that work with the same IDP. (The client are not bearer-only clients) When a user works (performs HTTP requests) on the first OIDC client the token on the second OIDC client should be refreshed. Otherwise when the user will access the second client it will not be able to work. Therefore I think that Keycloak IDP send some request to the second OIDC client to refresh the token. Is it correct? If yes – what request IDP sends to the second OIDC client to refresh its token? If not – how Keycloak allows to access to the second OIDC client after the user works on the first OIDC client for a long time? One additional question about the logout: If a user will execute http://<ip>/<app>/sso/logout<http://%3cip%3e/%3capp%3e/sso/logout> on the first OIDC client I think that the token on the second OIDC client becomes invalid and also the Keycloak session becomes invalid. This is my understanding of the implementation of Single Logout by Keycloak. Will happy for the confirmation. Best regards, Michael ________________________________ From: Sebastien Blanc <sblanc(a)redhat.com&gt; Sent: Friday, December 16, 2016 1:20 PM To: Michael Furman Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Not really sure what you are asking for ... To refresh it's this type of url : <your_realm_url>/protocol/openid-connect/token?grant_type+refresh_token&refresh_token=<your_refresh_token> And I don't understand your additonal question but maybe related to that, a bearer-only client won't have a refresh token. On Fri, Dec 16, 2016 at 12:03 PM, Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> wrote: Hi all, Will be happy for help. I have tried to search but without success. Can not find details here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/ss... Best regards, Michael ________________________________ From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> Sent: Thursday, December 15, 2016 10:08 PM To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Hi, Additional question: according to my understanding in case a user works (performs http requests) on some client the Refresh Token HTTP request comes to other OIDC clients. In case a user does not work on any client the Refresh Token HTTP request does not appear at all. Will happy for the confirmation. Michael On Dec 15, 2016 7:26 PM, Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> wrote: Hi, We use the SpringSecurity adapter. I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter. Can you tell me the URI of the Refresh Token HTTP request for Java Adapters? Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org<http://lists.jboss.org> To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org<http://lists.jboss.org> To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Thanks Sebastien, Can you clarify what you mean the session of the cookie? I want to configire for all clients 30 minutes session timeout. Same timeout for the session cookie on IDP. Still not clear to me if a user will work 2 hours on the first client and then will access to the second client how the session on the second cliend still active. May be the session on the second client already not active but the second client redirects to IDP and see that the IDP token is valid and then it redirects back with the token to the second client without an authentication. Correct? On Dec 16, 2016 3:48 PM, Sebastien Blanc <sblanc(a)redhat.com&gt; wrote: On Fri, Dec 16, 2016 at 1:02 PM, Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> wrote: Hi Sebastien, Thank you for your help! I need to clarify my questions. According to my understanding Keycloak handles the full SSO. For example I have 2 OIDC clients (SpringSecurity adapters) that work with the same IDP. (The client are not bearer-only clients) When a user works (performs HTTP requests) on the first OIDC client the token on the second OIDC client should be refreshed. Otherwise when the user will access the second client it will not be able to work. Therefore I think that Keycloak IDP send some request to the second OIDC client to refresh the token. Is it correct? no If yes – what request IDP sends to the second OIDC client to refresh its token? If not – how Keycloak allows to access to the second OIDC client after the user works on the first OIDC client for a long time? For SSO, it will use the session or the cookie (depending how you configure it), no extra request are made for the second client. One additional question about the logout: If a user will execute http://<ip>/<app>/sso/logout<http://%3cip%3e/%3capp%3e/sso/logout> on the first OIDC client I think that the token on the second OIDC client becomes invalid and also the Keycloak session becomes invalid. yeah the session will be removed so all the clients will be logout. This is my understanding of the implementation of Single Logout by Keycloak. Will happy for the confirmation. Best regards, Michael ________________________________ From: Sebastien Blanc <sblanc@redhat.com<mailto:sblanc@redhat.com>> Sent: Friday, December 16, 2016 1:20 PM To: Michael Furman Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Not really sure what you are asking for ... To refresh it's this type of url : <your_realm_url>/protocol/openid-connect/token?grant_type+refresh_token&refresh_token=<your_refresh_token> And I don't understand your additonal question but maybe related to that, a bearer-only client won't have a refresh token. On Fri, Dec 16, 2016 at 12:03 PM, Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> wrote: Hi all, Will be happy for help. I have tried to search but without success. Can not find details here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/ss... Best regards, Michael ________________________________ From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> Sent: Thursday, December 15, 2016 10:08 PM To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Hi, Additional question: according to my understanding in case a user works (performs http requests) on some client the Refresh Token HTTP request comes to other OIDC clients. In case a user does not work on any client the Refresh Token HTTP request does not appear at all. Will happy for the confirmation. Michael On Dec 15, 2016 7:26 PM, Michael Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> wrote: Hi, We use the SpringSecurity adapter. I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter. Can you tell me the URI of the Refresh Token HTTP request for Java Adapters? Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org<http://lists.jboss.org> To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user> lists.jboss.org<http://lists.jboss.org> To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user