[keycloak-user] Sessions vs Tokens

Stian Thorgersen sthorger at redhat.com
Wed Dec 21 00:46:37 EST 2016


You can't force the browser to send a header so using a cookie is the only
way for a server-side web app

On 20 December 2016 at 19:28, Matt H <tsdgcc2087 at outlook.com> wrote:

> It is a spring boot application, so server side.  Is there any way to
> change it to force a token to be sent on each call?
>
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Monday, December 19, 2016 2:22 AM
> *To:* Matt H
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Sessions vs Tokens
>
> Depends on the app type. If it's a server-side web application it's
> secured with a cookie, but if it's a client-side application or a remote
> service it's secured by passing the token.
>
> On 14 December 2016 at 20:18, Matt H <tsdgcc2087 at outlook.com> wrote:
>
>> I'm not sure how best to describe this but I have seen times when I
>> called a secured endpoint (secured with spring security adapter) but a
>> token was not passed and I was able to gain access.  The first time I went
>> to a secured endpoint I had to log into keycloak to authenticate, but then
>> on each request, only a session id was passed and no JWT.  Is this the
>> standard behavior?  If there is no JWT, where are the claims read from?
>>
>>
>> Matt
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list