In addition to acting as a centralized authentication and authorization service, Keycloak is, at its core, a session and token management system.
As part of the authentication process, Keycloak may create server-side sessions and correlate them with tokens. By relying on these sessions, Keycloak is able to keep the state of the authentication context where sessions originated, track users' and clients' activity, check the validity of tokens, and decide when users and clients should re-authenticate.
In this chapter, we are going to look at how Keycloak allows you to manage tokens and their underlying sessions, as well as understanding the different aspects that you should be aware of when doing so. For that, we are going to cover the following topics:
- Managing sessions
- Managing tokens