[keycloak-dev] Clarification on Access Token and Refresh Token

Stian Thorgersen stian at redhat.com
Fri Sep 19 04:08:26 EDT 2014


Hi,

I'm assuming you're using the WildFly adapter? It associates the token with the users http session. So you'd either need to replicate the sessions or use sticky sessions.

It would make sense to me to add an option to the adapter to make it stateless and use cookies instead of the http session to store the tokens. Added https://issues.jboss.org/browse/KEYCLOAK-702

----- Original Message -----
> From: "Bappaditya Gorai (bgorai)" <bgorai at cisco.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 19 September, 2014 8:53:04 AM
> Subject: [keycloak-dev] Clarification on  Access Token and Refresh Token
> 
> 
> 
> Hi Keycloak Dev Team,
> 
> First of all congrats to you guys with your 1.0 Final release.
> 
> 
> 
> We have an application configured in Keycloack as public client, which is
> accessed using a java client (httpclient). However we don’t see access_token
> coming out of Resource server. So for the next call to Resource server, my
> client need to repeat authorization steps all over again (If we don’t
> maintain session in client side , which is our requirement) . I understand
> for web client (web browser) session id is used by keycloak adapter to
> establish the authenticity of the client for consecutive resource access
> calls.
> 
> 
> 
> 1. Is there any way to get the access_token in resource server response (may
> be as a cookie ) as resource server adapter is doing “code to token” ? So
> that successive call to resource server we can send the access_token .
> 
> 
> 
> 2. Actually in my setup Resource Server/Application is behind load balancer.
> So session id may not be valid for different node. Is there any way to
> configure application/resource server so that
> 
> a) Client can get back the access token.
> 
> b) Refresh can also happen automatically.
> 
> 
> 
> 3. As per my understanding, currently keycloak stores access token /refresh
> token etc in server http session. If there is way to persist access token
> /refresh token etc in data store so that
> 
> a. Inactivity/session will not clear these data. (Can provide longevity)
> 
> b. Resource Servers can use load balancer setup.
> 
> 
> 
> 
> 
> Thanks
> 
> Bappaditya Gorai
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list