[keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters?

Sebastien Blanc sblanc at redhat.com
Fri Dec 16 10:06:34 EST 2016


There is only 1 session for that user , no matter how many clients are
being used, as long it's belong to the same browser session, that is the
whole magic of the sso.

On Fri, Dec 16, 2016 at 3:20 PM, Michael Furman <michael_furman at hotmail.com>
wrote:

> Thanks Sebastien,
>
> Can you clarify what you mean the session of the cookie?
> I want to configire for all clients 30 minutes session timeout.
> Same timeout for the session cookie on IDP.
>
> Still not clear to me if a user will work 2 hours on the first  client and
> then will access to the second client how the session on the second cliend
> still active.
>
> May be the session on the second client already not active but the second
> client redirects to IDP and see that the IDP token is valid and then it
> redirects back with the token to the second client without an
> authentication.
>
> Correct?
>
> On Dec 16, 2016 3:48 PM, Sebastien Blanc <sblanc at redhat.com> wrote:
>
>
>
> On Fri, Dec 16, 2016 at 1:02 PM, Michael Furman <
> michael_furman at hotmail.com> wrote:
>
> Hi Sebastien,
>
> Thank you for your help!
>
> I need to clarify my questions.
>
> According to my understanding Keycloak handles the full SSO.
>
> For example I have 2 OIDC clients (SpringSecurity adapters) that work with
> the same IDP.
>
> (The client are not bearer-only clients)
>
> When a user works (performs HTTP requests) on the first OIDC client the
> token on the second OIDC client should be refreshed.
> Otherwise when the user will access the second client it will not be able
> to work.
>
> Therefore I think that Keycloak IDP send some request to the second OIDC
> client to refresh the token.
>
> Is it correct?
>
> no
>
> If yes – what request IDP sends to the second OIDC client to refresh its
> token?
>
> If not – how Keycloak allows to access to the second OIDC client after
> the user works on the first OIDC client for a long time?
>
> For SSO, it will use the session or the cookie (depending how you
> configure it), no extra request are made for the second client.
>
>
>
> One additional question about the logout:
>
> If a user will execute http://<ip>/<app>/sso/logout on the first OIDC
> client I think that the token on the second OIDC client becomes invalid
> and also the Keycloak session becomes invalid.
>
> yeah the session will be removed so all the clients will be logout.
>
>
> This is my understanding of the implementation of Single Logout by
> Keycloak.
>
> Will happy for the confirmation.
>
> Best regards,
>    Michael
>
>
>
> ------------------------------
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* Friday, December 16, 2016 1:20 PM
> *To:* Michael Furman
> *Cc:* keycloak-user at lists.jboss.org
>
> *Subject:* Re: [keycloak-user] What the URI of the Refresh Token HTTP
> request for Java Adapters?
>
> Not really sure what you are asking for ... To refresh it's this type of
> url : <your_realm_url>/protocol/openid-connect/token?grant_type+
> refresh_token&refresh_token=<your_refresh_token>
>
> And I don't understand your additonal question but maybe related to that,
> a bearer-only client won't have a refresh token.
>
>
>
> On Fri, Dec 16, 2016 at 12:03 PM, Michael Furman <
> michael_furman at hotmail.com> wrote:
>
> Hi all,
>
> Will be happy for help.
>
> I have tried to search but without success.
>
> Can not find details here:
>
> https://keycloak.gitbooks.io/server-adminstration-guide/cont
> ent/topics/sso-protocols/oidc.html
>
>
> Best regards,
>
>    Michael
>
> ________________________________
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.j
> boss.org> on behalf of Michael Furman <michael_furman at hotmail.com>
> Sent: Thursday, December 15, 2016 10:08 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP
> request for Java Adapters?
>
> Hi,
> Additional question: according to my understanding in case a user works
> (performs http requests) on some client the Refresh Token HTTP request
> comes to other OIDC clients.
>
> In case a user does not work on any client the Refresh Token HTTP request
> does not appear at all.
>
> Will happy for the confirmation.
> Michael
>
> On Dec 15, 2016 7:26 PM, Michael Furman <michael_furman at hotmail.com>
> wrote:
>
> Hi,
> We use the SpringSecurity adapter.
> I need to handle some internal application logic when the URI of the
> Refresh Token HTTP request comes to the adapter.
> Can you tell me the URI of the Refresh Token HTTP request for Java
> Adapters?
> Best regards,
>    Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer<https://lists.jboss.
> org/mailman/listinfo/keycloak-user>
> lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer<https://lists.jboss.
> org/mailman/listinfo/keycloak-user>
> lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>


More information about the keycloak-user mailing list