[keycloak-dev] stateless access codes committed, anything else?
Marek Posolda
mposolda at redhat.com
Mon Jun 30 05:12:26 EDT 2014
There is one small issue though, that now is possible to exchange same
code for token multiple times. I am not sure if we already discuss this
and decide that it's "price to pay" to have stateless TokenService.
However OAuth2 specs is not so happy with this (See 4.1.2 and 10.5) .
Did we consider saving codes (or exchanged codes) into DB and have some
periodic task to cleanup them?
Marek
On 20.6.2014 16:43, Bill Burke wrote:
> Is there anything else that is stateful about the token service?
>
More information about the keycloak-dev
mailing list