Hello!
We are currently in the process of migrating our Customer Portal to Keycloak, and are
trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based
on our needs. What are example uses cases for both flows? When would you use one vs the
other?
Here is the general use case we are trying to solve.
1. A user logs in and receives an access_token.
1. The user loads an Angular single-page-app that makes a call to a stateless REST api,
passing an access token.
2. The REST API validates the access_token and forwards the request to the downstream
system e.g. a data provider, including the access token in the request.
3. The data provider reprieves the access token and validates it and returns the response
to the REST service, which returns the response to the Angular app.
The above flow should be able to continue anytime throughout the duration of the SSO
session. So for the above flow which OpenID Connct flow would you recommend using?
Standard, Implicit, or Hybrid?
Standard Flow
http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
Implicit Flow
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
Thank you!
- Jared Sprague
access.redhat.com