2:52 a.m.
I adding keycloak into a legacy application that uses GWT and Jetty.
I have managed to get add Keycloak application using Spring-security.
Because this is GWT I am doing the authorisation in the application myself.
Sping just provides a way to get access to the KeycloakSecurityContext.
The issue I have is refreshing the token. I can get hold of
a RefreshableKeycloakSecurityContext instance
and use that to get a refresh token. What surprised me is that I cannot
refresh a token if the roles have changed.
Is this correct. I was hoping that the application could notice the role
changes and adapt itself on the fly.
I do not want to have to logout to get the new roles it at all possible. Is
there something that I have overlooked that will allow
me to use the idToken to get a new accessToken given that the
authentication of the user is still valid, it is just the roles the user is
in that have changed.
Thanks
Chris
4:09 a.m.
If you're adding new roles the refresh token will continue to work, but
won't get new roles. If you're removing roles the refresh token won't be
permitted anymore.
You don't need to re-login though. Just discard the refresh token, do the
redirect dance to Keycloak again and you'll get a new client session under
the existing user session so the user won't have to re-authenticate, but
you'll have your new refresh token with updates roles.
On 20 August 2016 at 09:52, Christopher Davies <
christopher.james.davies(a)gmail.com> wrote:
I adding keycloak into a legacy application that uses GWT and Jetty.
I have managed to get add Keycloak application using Spring-security.
Because this is GWT I am doing the authorisation in the application myself.
Sping just provides a way to get access to the KeycloakSecurityContext.
The issue I have is refreshing the token. I can get hold of a
RefreshableKeycloakSecurityContext instance
and use that to get a refresh token. What surprised me is that I cannot
refresh a token if the roles have changed.
Is this correct. I was hoping that the application could notice the role
changes and adapt itself on the fly.
I do not want to have to logout to get the new roles it at all possible.
Is there something that I have overlooked that will allow
me to use the idToken to get a new accessToken given that the
authentication of the user is still valid, it is just the roles the user is
in that have changed.
Thanks
Chris
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:22 a.m.
The redirect dance it a bit more complex as I am in a GWT application.
However thanks for the feedback.
In most cases redirecting to login page will be easy enough, it is just
during editing that things may get tricky
Chris
On Fri, Aug 26, 2016 at 10:09 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
If you're adding new roles the refresh token will continue to
work, but
won't get new roles. If you're removing roles the refresh token won't be
permitted anymore.
You don't need to re-login though. Just discard the refresh token, do the
redirect dance to Keycloak again and you'll get a new client session under
the existing user session so the user won't have to re-authenticate, but
you'll have your new refresh token with updates roles.
On 20 August 2016 at 09:52, Christopher Davies <
christopher.james.davies(a)gmail.com> wrote:
> I adding keycloak into a legacy application that uses GWT and Jetty.
> I have managed to get add Keycloak application using Spring-security.
> Because this is GWT I am doing the authorisation in the application
> myself.
> Sping just provides a way to get access to the KeycloakSecurityContext.
>
> The issue I have is refreshing the token. I can get hold of
> a RefreshableKeycloakSecurityContext instance
> and use that to get a refresh token. What surprised me is that I cannot
> refresh a token if the roles have changed.
> Is this correct. I was hoping that the application could notice the role
> changes and adapt itself on the fly.
>
> I do not want to have to logout to get the new roles it at all possible.
> Is there something that I have overlooked that will allow
> me to use the idToken to get a new accessToken given that the
> authentication of the user is still valid, it is just the roles the user is
> in that have changed.
>
>
> Thanks
>
> Chris
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
12:42 a.m.
Use an embedded web view and problem solved ;)
On 30 August 2016 at 13:22, Christopher Davies <
christopher.james.davies(a)gmail.com> wrote:
The redirect dance it a bit more complex as I am in a GWT
application.
However thanks for the feedback.
In most cases redirecting to login page will be easy enough, it is just
during editing that things may get tricky
Chris
On Fri, Aug 26, 2016 at 10:09 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> If you're adding new roles the refresh token will continue to work, but
> won't get new roles. If you're removing roles the refresh token won't be
> permitted anymore.
>
> You don't need to re-login though. Just discard the refresh token, do the
> redirect dance to Keycloak again and you'll get a new client session under
> the existing user session so the user won't have to re-authenticate, but
> you'll have your new refresh token with updates roles.
>
> On 20 August 2016 at 09:52, Christopher Davies <christopher.james.davies@
> gmail.com> wrote:
>
>> I adding keycloak into a legacy application that uses GWT and Jetty.
>> I have managed to get add Keycloak application using Spring-security.
>> Because this is GWT I am doing the authorisation in the application
>> myself.
>> Sping just provides a way to get access to the KeycloakSecurityContext.
>>
>> The issue I have is refreshing the token. I can get hold of a
>> RefreshableKeycloakSecurityContext instance
>> and use that to get a refresh token. What surprised me is that I cannot
>> refresh a token if the roles have changed.
>> Is this correct. I was hoping that the application could notice the role
>> changes and adapt itself on the fly.
>>
>> I do not want to have to logout to get the new roles it at all possible.
>> Is there something that I have overlooked that will allow
>> me to use the idToken to get a new accessToken given that the
>> authentication of the user is still valid, it is just the roles the user is
>> in that have changed.
>>
>>
>> Thanks
>>
>> Chris
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
12:23 p.m.
I'm facing the same problem.
I use JavaScript adapter and do login with a POST request to
/.../protocol/openid-connect/token/ (no Keycloak login screen involved).
What should I do to keep things working after a refresh fail due to lack of
roles?
Thanks in advance
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
12:42 p.m.
I'm facing the same problem.
I use JavaScript adapter and do login with a POST request to
/.../protocol/openid-connect/token/ (no Keycloak login screen involved).
What should I do to keep things working after a refresh fail due to lack of
roles?
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
2272
days inactive
2806
days old
5 comments
3 participants
participants (3)
-
carrbrpoa -
Christopher Davies -
Stian Thorgersen