[keycloak-user] WebSockets
Juraci Paixão Kröhling
juraci at kroehling.de
Mon Aug 10 09:48:42 EDT 2015
On 08/10/2015 03:26 PM, Bill Burke wrote:
> Once the WeBSocket is established there is
> actually no reason to resend the token as the connection/socket remains
> open. HTTP requests are different. They need to retransmit the token
> because HTTP is connectionless and assumes every request is a different
> connection. For browser apps, logout can be handled in the regular way
> with keycloak.js. Non-browser apps can just rely on non-browser means.
>
> All the server needs is a way to validate and unpack the token. Refresh
> should be handled at the client side through keycloak.js or some other
> oauth library. For bearer token auth, it is not the responsibility of
> the server to manage the token.
Not sure I get it. Are you saying that my server endpoint should trust
that the client will close the connection once the token expires/is
invalidated?
- Juca.
More information about the keycloak-user
mailing list