What is the need for sessions?


so I fairly do have a quite basic question. I am afraid I am lacking knowledge about a core concept of OAuth 2/OpenID Connect. Nevertheless I didn’t really find an answer in different documents (OAuth 2/OpenID Connect specification, Keycloak documentation…).

What is the need for sessions when using Keycloak as OAuth 2.0 and OpenID Connect Authorization Server?

In my understanding one of the core concepts/advantages of OAuth 2.0 in combination with JWTs is the stateless authorization.

So why does Keycloak use Sessions on top of those tokens (and because of this is a stateful server )?

I have heard of an explanation that the JWT could be highjacked by other applications when it’s stored in the browser but isn’t it the same thing with Session IDs?

I hope someone can help me with this quite basic question! :slight_smile:



Yes - Keycloak maintains sessions on top of the identity providers.

Thanks @melancholia but my actual question was why this is necessary. Because as far as I understood OAuth 2 and OpenID Connect one of the major advantages in comparison to session based authentication is that you don’t have to store data on the server side (stateless server vs. stateful server).


Because OIDC is SSO protocol and that cookie represents user logged state.
It’s stateless from your app/service provider (SP) view. There is no need of the cookie on the SP side (but some implementations use it to store access/id/refresh tokens, especially web app auth proxy, e.g. gatekeeper - but that’s not a cookie for Keycloak IDP, it’s for SP).

1 Like