[keycloak-user] token vs cookie for clients

Bill Burke bburke at redhat.com
Thu Mar 30 08:41:30 EDT 2017


The cookie for the auth server domain is a signed token it is http-only 
and secure and its path is the realm /auth/realms/{realm-name}.  When a 
client requests a login, the browser is redirected to the auth server.  
The auth server looks to see if the cookie is set, verifies the 
signature on the cookie, and then looks up the auth server's user 
session, creates a token for the client and redirects back.


On 3/30/17 7:55 AM, Avinash Kundaliya wrote:
> Hi Bill,
> This is exactly what i was trying to ask. It is good to know that the 
> client adapters manage the session itself.
> Regarding the SSO with multiple apps, could you explain more about the 
> cookie from auth server's domain? maybe there is a documentation 
> somewhere that i can have a look at?
>
> Thanks for the help.
>
> Regards,
> Avinash
>
> On 29 March 2017 at 19:26, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     Not sure I understand the question, but I can talk about how our
>     client
>     adapters work.
>
>     For our Java client adapters, once the user is authenticated using
>     OIDC
>     protocol, the client adapter manages the session itself using
>     traditional Servlet security.  The access token is used to obtain role
>     mapping information.  If this web application needs to invoke on back
>     ends, the access token is used to make secure invocations on these
>     additinal back ends.
>
>     FYI, for browser apps, you can't do SSO with multiple apps without a
>     cookie from the auth server's domain.   This means you have to use one
>     of the redirection protocols from OIDC or SAML.
>
>
>     On 3/29/17 3:32 AM, Avinash Kundaliya wrote:
>     > Hello,
>     > I have a question that is more related to OAuth2 in general. If
>     i am using
>     > keycloak with a web application. The backend has the token, is
>     it suggested
>     > for the client to also communicate with the backend using the
>     JWT or rather
>     > manage its own session and cookies.
>     > I think its better to manage own session and cookies, but also
>     curious how
>     > would single sign out work in those cases?
>     > I hope this is quite a basic question and there are defined ways to
>     > approach such issues.
>     >
>     > Thanks for all the help.
>     >
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
> -- 
> ---
> Avinash Kundaliya
> avinash at avinash.com.np <mailto:avinash at avinash.com.np>
> http://avinash.com.np
>



More information about the keycloak-user mailing list