[keycloak-user] Communication between Keycloak and Spring Security Adapter
Stian Thorgersen
sthorger at redhat.com
Fri Sep 30 03:30:47 EDT 2016
I'm not clued up on the Spring adapter, but in general the way it works is:
* Adapter redirects to KC
* User logs in KC
* KC redirects back with code
* Adapter exchanges code for token
* Once token expires, adapter sends refresh token request to KC
Any verification of the token is done by checking the signature (it's a
JWS, not a JWT). Same goes if you use the token to invoke a service, the
service can verify the token without invoking KC.
On 26 September 2016 at 21:42, Matt H <matt.inbox at outlook.com> wrote:
> Hi,
>
>
> I'm trying to get a better understanding of the communication between
> Keycloak and spring security client applications. If I'm understanding the
> authentication/authorization flow, it would be something like:
>
>
> 1. User (or client application) login to application
>
> 2. Spring security redirects to Keycloak
>
> 3. Keycloak verifies user and creates a JWT
>
4. Redirects user with JWT back to application
>
> 5. Verifies JWT
>
> 6. Sends response to client
>
>
> For step #5, verification: Does spring security verify the JWT locally, or
> is the token sent back to Keycloak for verification? I'm wondering how
> much "chatter" there is between Spring security and Keycloak for every
> request.
>
>
> If a user already has a non-expired JWT, does it just do steps 5-6 until
> it expires? Once it expires, it requests a new JWT from Keycloak?
>
>
> Thanks,
>
> Matt
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list