[keycloak-user] How to know when to get a refreshed bearer token
Bill Burke
bburke at redhat.com
Wed Jan 7 17:49:32 EST 2015
If your server-side components are all REST-based, I suggest using
bearer token auth for them and obtaining the token via the keycloak.js
adapter. Again, k_query_bearer_token auth is vulnerable to CSRF right now.
On 1/7/2015 5:25 PM, Hubert Przybysz wrote:
> Thanks for the heads-up. I'll take a closer look at the javascript adapter.
>
> FYI, I've found the k_query_bearer_token request quite useful for a web
> app that uses a mix of server-side and javascript components.
>
> On Wed, Jan 7, 2015 at 4:00 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> You probably should not be using the k_query_bearer_token request.
> I'm thinking of removing it because it is vulnerable to CSRF
> attacks. Instead use keycloak.js for javascript apps.
>
> On 1/7/2015 9:29 AM, Hubert Przybysz wrote:
>
> The token is indeed updated automatically when it is requested.
> I was
> rather wondering if there was a way to not have to request it
> prior to
> each AJAX request. Currently, since the application does not
> know when
> the token expires, it has to either get it prior to each AJAX
> request,
> or try to use a possibly stale token and request it again when
> it gets a
> 401 from the REST service. It would be nice to get information about
> token expiry together with the token in response to
> k_query_bearer_token
> request.
>
> On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
> IIRC, if you're using the correct APIs (in Javascript or on
> the server
> side), the token will be automatically updated for you when you
> request it.
>
> On 1/7/2015 4:06 AM, Hubert Przybysz wrote:
> > Hi,
> >
> > My jee web application uses its bearer token when
> issuing AJAX
> requests
> > to other REST services within the realm (but at different
> origins). It
> > does it by reading the exposed bearer token prior to
> making an AJAX
> > request. Is there a mechanism by which the application
> may find
> out when
> > the bearer token is refreshed, to make it possible to
> read the bearer
> > token only when needed ?
> >
> > Br / Hubert.
> >
> >
> > _________________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> > https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _________________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list