Re: [keycloak-dev] Authorization code and refresh tokens in cross DC

One problem with authorization codes and refresh tokens in cross DC setups is the fact that they are supposed to be one-time only. We could have an option on a realm to set if they are one-time or not (we already do for refresh tokens). If they are one-time we have a separate synchronously replicated cache to handle. Question though would it be acceptable that they are not one-time? It does imposed a certain risk as it wouldn't be possible to detect if they are leaked. For example imagine someone somehow manages to sniff all codes sent to an application (say it's a public application since that doesn't require credentials). They can then exchange the code for tokens alongside the real application. As the codes are not one-time this goes undetected. If codes on the other hand are undetected the realm application will either be the only one to exchange the code, or it will notice something is not right. This issue may be resolved by the introduction of Proof Key for Code Exchange [1] though. For refresh tokens sure it would be nice to be able to detect leakage, but one-time is fairly brittle as HTTP requests are not transactional so you can easily end up with loosing a response which would render the old refresh token useless and the new one lost. [1] https://tools.ietf.org/html/rfc7636 _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev