[keycloak-user] Bearer Only Application and refresh token

Bill Burke bburke at redhat.com
Mon Nov 10 10:51:32 EST 2014

On 11/10/2014 9:48 AM, Davide Ungari wrote:
> Hi,
> following some of your suggestions I designed an application composed of a:
> 1- frontend web application
> 2- backend REST API

What is your frontend web app?  Javascript (GWT or Angular JS or jQuery)?

> The frontend has a servlet-proxy to the backend REST API to avoid cross
> domain problems.

Take a look at the CORS spec and also Keycloak's support for it.  You 
don't need a servlet proxy.

> The backend has a bearer-only configuration.
> Everything is working until the token does not expire, I tried to force
> refresh when I recieve 401 status but it does not work.

Do you mean everything works until the token expires?

> What is supposed to be done every time the access tokes expires?

Whoever obtained the access token is responsible for refreshing it.  If 
your web application is a Javascript app, then you can use the 
keycloak.js library which will handle refreshing tokens.  Combine this 
with CORS if you need to invoke backend REST services that are on 
another domain.  There's a few examples in the distro that show how to 
do this.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list