mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-08 08:01:18 -05:00
Code Issues Packages Projects Releases Wiki Activity

notes about access and refresh tokens

Browse Source 
Closes #26919

Signed-off-by: AndyMunro <amunro@redhat.com>
(cherry picked from commit 7d504ed1c9)
This commit is contained in:
AndyMunro
2024-02-26 15:06:57 -05:00
committed by Alexander Schwartz
parent 86e0861b33
commit 122683612e
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/documentation/securing_apps/topics/oidc/javascript-adapter.adoc
+5
View File
@@ -119,6 +119,11 @@ try {
const users = await fetchUsers();
----
[NOTE]
====
Both access and refresh token are stored in memory and are not persisted in any kind of storage. Therefore, these tokens should never be persisted to prevent hijacking attacks.
====
==== Session Status iframe
By default, the adapter creates a hidden iframe that is used to detect if a Single-Sign Out has occurred. This iframe does not require any network traffic. Instead the status is retrieved by looking at a special status cookie. This feature can be disabled by setting `checkLoginIframe: false` in the options passed to the `init()` method.