[keycloak-user] Sessions vs Tokens
Stian Thorgersen
sthorger at redhat.com
Mon Dec 19 03:22:10 EST 2016
Depends on the app type. If it's a server-side web application it's secured
with a cookie, but if it's a client-side application or a remote service
it's secured by passing the token.
On 14 December 2016 at 20:18, Matt H <tsdgcc2087 at outlook.com> wrote:
> I'm not sure how best to describe this but I have seen times when I called
> a secured endpoint (secured with spring security adapter) but a token was
> not passed and I was able to gain access. The first time I went to a
> secured endpoint I had to log into keycloak to authenticate, but then on
> each request, only a session id was passed and no JWT. Is this the
> standard behavior? If there is no JWT, where are the claims read from?
>
>
> Matt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list