Hi,

Up until recently I automatically selected to use implicit grant flow from SPAs, but lately I’ve been re-assessing this since the keycloak javascript adapter provides standard flow out of the box and makes that a viable option. I also note that the keycloak admin console is a HTML5/javascript/angular js app that uses the keycloak js adapter and uses the standard flow. As a side note I find the client defaults interesting in that Implicit flow is disabled, but direct access grants are enabled (I’m coming from a mitreid connect implementation where direct access grants where disabled by default and implicit flow was enabled, so just wonder what the thinking is behind this since direct access grants are discouraged).

I’m really wondering why are you pushing standard flow from the keycloak javascript adapter instead of implicit? What are the benefits that make standard flow better in this case? One thing I have seen mentioned is refresh tokens obtained in standard flow make it easy to get a new access token, but I thought you could get refresh tokens from the implicit flow anyway, and even if not, if a user logs in with “remember me”, then getting a new access token doesn’t require re-entering credentials by the user. I want to make sure that when implementing keycloak in our SPA we choose the best flow and want to know if there’s some reason standard flow is best.

Regards,

$Description: Description: C:\Users\jayt\Desktop\tonyjay_sig_files\virginaustralia.gif$

Anthony Fryer | Solution Architect & Designer

Mb: 0438 781 745

Email: anthony.fryer@virginaustralia.com

Virgin Australia group of airlines including Virgin Australia,
V Australia, Pacific Blue and Polynesian Blue

Please consider the environment before printing this email.