[keycloak-user] Clarification of use case: simultaneous requests with expired token
Marek Posolda
mposolda at redhat.com
Fri Dec 12 05:32:53 EST 2014
On 11.12.2014 23:20, Kuznetsov, Mike wrote:
>
> Hello,
>
> We are in the process of securing our REST APIs using Keycloak. Please
> confirm our understanding of the following:
>
> We have a use case where our web client may SIMULTANEOUSLY send
> several REST API calls (r1, r2,r3…) to our server using the Access
> Token (at1) and Refresh Token (rt1).
>
> When r1 is being handled, assuming that at1 is expired, server-side
> adapter will be taking care of getting new tokens (at2, rt2). Is it
> safe to assume that r2 and r3 will get hold of at2 and rt2? If so, is
> it valid to conclude that the adapter is maintaining state for the token.
>
Your web client is servlet application secured by keycloak?
Actually it's the frontend application, which handles refreshing of
tokens. You can take a look at our example, where frontend application
is sending rest requests to backend application:
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54
. In this case when the code is calling:
session.getTokenString()
the adapter will automatically handle refreshing the token (it checks if
token is expired and automatically refresh if it is). So later you can
use this accessToken to send parallel requests to your REST endpoints
and it should be ok to assume that accessToken is not expired.
Marek
>
> Thank You,
>
> Mikhail Kuznetsov
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141212/2291e589/attachment.html
More information about the keycloak-user
mailing list