[keycloak-user] Sessions vs Tokens
Matt H
tsdgcc2087 at outlook.com
Tue Dec 20 13:28:28 EST 2016
It is a spring boot application, so server side. Is there any way to change it to force a token to be sent on each call?
________________________________
From: Stian Thorgersen <sthorger at redhat.com>
Sent: Monday, December 19, 2016 2:22 AM
To: Matt H
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Sessions vs Tokens
Depends on the app type. If it's a server-side web application it's secured with a cookie, but if it's a client-side application or a remote service it's secured by passing the token.
On 14 December 2016 at 20:18, Matt H <tsdgcc2087 at outlook.com<mailto:tsdgcc2087 at outlook.com>> wrote:
I'm not sure how best to describe this but I have seen times when I called a secured endpoint (secured with spring security adapter) but a token was not passed and I was able to gain access. The first time I went to a secured endpoint I had to log into keycloak to authenticate, but then on each request, only a session id was passed and no JWT. Is this the standard behavior? If there is no JWT, where are the claims read from?
Matt
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list