[keycloak-user] How to know when to get a refreshed bearer token

Bill Burke bburke at redhat.com
Wed Jan 7 10:00:09 EST 2015 

You probably should not be using the k_query_bearer_token request.  I'm 
thinking of removing it because it is vulnerable to CSRF attacks. 
Instead use keycloak.js for javascript apps.

On 1/7/2015 9:29 AM, Hubert Przybysz wrote:
> The token is indeed updated automatically when it is requested. I was
> rather wondering if there was a way to not have to request it prior to
> each AJAX request. Currently, since the application does not know when
> the token expires, it has to either get it prior to each AJAX request,
> or try to use a possibly stale token and request it again when it gets a
> 401 from the REST service. It would be nice to get information about
> token expiry together with the token in response to k_query_bearer_token
> request.
>
> On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     IIRC, if you're using the correct APIs (in Javascript or on the server
>     side), the token will be automatically updated for you when you
>     request it.
>
>     On 1/7/2015 4:06 AM, Hubert Przybysz wrote:
>      > Hi,
>      >
>      > My jee web application uses its bearer token when issuing AJAX
>     requests
>      > to other REST services within the realm (but at different
>     origins). It
>      > does it by reading the exposed bearer token prior to making an AJAX
>      > request. Is there a mechanism by which the application may find
>     out when
>      > the bearer token is refreshed, to make it possible to read the bearer
>      > token only when needed ?
>      >
>      > Br / Hubert.
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list