[keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters?

Sebastien Blanc sblanc at redhat.com
Fri Dec 16 08:48:57 EST 2016


On Fri, Dec 16, 2016 at 1:02 PM, Michael Furman <michael_furman at hotmail.com>
wrote:

> Hi Sebastien,
>
> Thank you for your help!
>
> I need to clarify my questions.
>
> According to my understanding Keycloak handles the full SSO.
>
> For example I have 2 OIDC clients (SpringSecurity adapters) that work with
> the same IDP.
>
> (The client are not bearer-only clients)
>
> When a user works (performs HTTP requests) on the first OIDC client the
> token on the second OIDC client should be refreshed.
> Otherwise when the user will access the second client it will not be able
> to work.
>
> Therefore I think that Keycloak IDP send some request to the second OIDC
> client to refresh the token.
>
> Is it correct?
>
no

> If yes – what request IDP sends to the second OIDC client to refresh its
> token?
>
> If not – how Keycloak allows to access to the second OIDC client after
> the user works on the first OIDC client for a long time?
>
For SSO, it will use the session or the cookie (depending how you configure
it), no extra request are made for the second client.

>
>
> One additional question about the logout:
>
> If a user will execute http://<ip>/<app>/sso/logout on the first OIDC
> client I think that the token on the second OIDC client becomes invalid
> and also the Keycloak session becomes invalid.
>
yeah the session will be removed so all the clients will be logout.

>
> This is my understanding of the implementation of Single Logout by
> Keycloak.
>
> Will happy for the confirmation.
>
> Best regards,
>    Michael
>
>
>
> ------------------------------
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* Friday, December 16, 2016 1:20 PM
> *To:* Michael Furman
> *Cc:* keycloak-user at lists.jboss.org
>
> *Subject:* Re: [keycloak-user] What the URI of the Refresh Token HTTP
> request for Java Adapters?
>
> Not really sure what you are asking for ... To refresh it's this type of
> url : <your_realm_url>/protocol/openid-connect/token?grant_
> type+refresh_token&refresh_token=<your_refresh_token>
>
> And I don't understand your additonal question but maybe related to that,
> a bearer-only client won't have a refresh token.
>
>
>
> On Fri, Dec 16, 2016 at 12:03 PM, Michael Furman <
> michael_furman at hotmail.com> wrote:
>
>> Hi all,
>>
>> Will be happy for help.
>>
>> I have tried to search but without success.
>>
>> Can not find details here:
>>
>> https://keycloak.gitbooks.io/server-adminstration-guide/cont
>> ent/topics/sso-protocols/oidc.html
>>
>>
>> Best regards,
>>
>>    Michael
>>
>> ________________________________
>> From: keycloak-user-bounces at lists.jboss.org <
>> keycloak-user-bounces at lists.jboss.org> on behalf of Michael Furman <
>> michael_furman at hotmail.com>
>> Sent: Thursday, December 15, 2016 10:08 PM
>> To: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP
>> request for Java Adapters?
>>
>> Hi,
>> Additional question: according to my understanding in case a user works
>> (performs http requests) on some client the Refresh Token HTTP request
>> comes to other OIDC clients.
>>
>> In case a user does not work on any client the Refresh Token HTTP request
>> does not appear at all.
>>
>> Will happy for the confirmation.
>> Michael
>>
>> On Dec 15, 2016 7:26 PM, Michael Furman <michael_furman at hotmail.com>
>> wrote:
>>
>> Hi,
>> We use the SpringSecurity adapter.
>> I need to handle some internal application logic when the URI of the
>> Refresh Token HTTP request comes to the adapter.
>> Can you tell me the URI of the Refresh Token HTTP request for Java
>> Adapters?
>> Best regards,
>>    Michael
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> keycloak-user Info Page - JBoss Developer<https://lists.jboss.
>> org/mailman/listinfo/keycloak-user>
>> lists.jboss.org
>> To see the collection of prior postings to the list, visit the
>> keycloak-user Archives. Using keycloak-user: To post a message to all the
>> list members ...
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> keycloak-user Info Page - JBoss Developer<https://lists.jboss.
>> org/mailman/listinfo/keycloak-user>
>> lists.jboss.org
>> To see the collection of prior postings to the list, visit the
>> keycloak-user Archives. Using keycloak-user: To post a message to all the
>> list members ...
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list