Re: [keycloak-dev] stateless access codes committed, anything else?
It is the "price to pay". We can shrink the timeout of the access code.
Right now it is 60 seconds. Also, Since we're already creating a
session, might as well have a "state" associated with the session.
On 6/30/2014 5:12 AM, Marek Posolda wrote:
There is one small issue though, that now is possible to exchange
same
code for token multiple times. I am not sure if we already discuss this
and decide that it's "price to pay" to have stateless TokenService.
However OAuth2 specs is not so happy with this (See 4.1.2 and 10.5) .
Did we consider saving codes (or exchanged codes) into DB and have some
periodic task to cleanup them?
Marek
On 20.6.2014 16:43, Bill Burke wrote:
> Is there anything else that is stateful about the token service?
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com