[keycloak-dev] Cross-DC and codeToToken request

Marek Posolda mposolda at redhat.com
Tue May 23 04:41:19 EDT 2017

On 22/05/17 15:16, Bill Burke wrote:
>>> 4) Is it ok to have option to relax on code one-time use? Otherwise in
>>> cross-DC and without sticky session, the every code exchange may require
>>> SYNC request to another DCs to doublecheck code was not used already.
>>> Not good for performance..
>> Maybe this is OK. Confidential apps needs credentials and then
>> there's Proof Key for Code Exchange for public clients. Although the latter
>> may be another issue in cross-DC?
>>> For now, I can see some combination of 1,3,4 as a way to go. WDYT?
>>> Marek
> I think 1 and 4 will hobble us for future things we want to do.

Ok, I understand 1 may be problematic for some scenarios and won't do 
it. But what exactly is a blocker for relax on code one-time use?

I am thinking that code will be still single-use by default as it's 
required per OAuth2/OIDC specs. However admins, who prefer performance 
over security, may choose to relax strict code one-time use. This may be 
new option - not sure whether configurable per realm or per client. I 
can see it's likely ok in some environments (private corporate networks 
etc) ?


More information about the keycloak-dev mailing list