[keycloak-user] web and mobile behavior with logout/pw change

[Seann Ives]

Hello,

Our web application has a standard keycloak integration.  Our mobile app is
currently using keycloak direct access grants.  I've got a few questions
about expected behavior when a user has overlapping usage of both web and
mobile which I'm hoping somewhere here can kindly answer.

1. A user logs in to the mobile app and gets a JWT and a refresh token.
The user then logs in to the web app (via KC) and then logs out of the web
app (via KC).  Should the mobile refresh token then be able to successfully
refresh the mobile JWT access token against KC, or does the web logout
'invalidate' the mobile refresh token?

2. Similar scenario but the web user changes their password instead of
logging out:
A user logs in to the mobile app and gets a JWT and a refresh token.  The
user then logs in to the web app and then changes their password (through
KC).  Should the mobile refresh token (created with the old password) then
be able to successfully refresh the mobile JWT access token, or does the
web logout 'invalidate' the mobile refresh token?


Would the behavior in either of those cases be different if our mobile app
used a webview redirecting to the KC server instead of using direct access
grants?

Thanks very much!
Seann Ives
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/95400fb4/attachment.html