[keycloak-user] token vs cookie for clients

Bill Burke bburke at redhat.com
Wed Mar 29 09:41:48 EDT 2017


Not sure I understand the question, but I can talk about how our client 
adapters work.

For our Java client adapters, once the user is authenticated using OIDC 
protocol, the client adapter manages the session itself using 
traditional Servlet security.  The access token is used to obtain role 
mapping information.  If this web application needs to invoke on back 
ends, the access token is used to make secure invocations on these 
additinal back ends.

FYI, for browser apps, you can't do SSO with multiple apps without a 
cookie from the auth server's domain.   This means you have to use one 
of the redirection protocols from OIDC or SAML.


On 3/29/17 3:32 AM, Avinash Kundaliya wrote:
> Hello,
> I have a question that is more related to OAuth2 in general. If i am using
> keycloak with a web application. The backend has the token, is it suggested
> for the client to also communicate with the backend using the JWT or rather
> manage its own session and cookies.
> I think its better to manage own session and cookies, but also curious how
> would single sign out work in those cases?
> I hope this is quite a basic question and there are defined ways to
> approach such issues.
>
> Thanks for all the help.
>



More information about the keycloak-user mailing list