[keycloak-dev] redirects vs. javascript logins
Bill Burke
bburke at redhat.com
Thu Jul 25 12:57:56 EDT 2013
To do SSO, keycloak server sets a session cookie so that the user
doesn't have to relogin if the cookie is set. This will have issues
with the custom login, like the way the Event Juggler app works.
Correct me if I'm wrong, but for Event Juggler, the login page is hosted
at the Event Juggler website? And the app would do an HTTP invocation
to obtain the token, correct?
The problem with this approach is that we wouldn't be able to set the
login session cookie as all cookies will be HttpOnly and not accessible
via javascript (due to security issues). So, SSO would not work, and
the user would have to relogin for each additional site they visited.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list