If you want to use on client-id, I would recommend that you use one client-id to represent
your suite of applications and then use security realms and roles to segregate your
applications and the corresponding access that your users are granted.
The one disadvantage to this is that if your retire an application or need to make
security requirements different on a "per application" basis, you will have a
tough time managing that with all of your applications using a single client-id.
Depending on the number of applications you are talking about here, I would recommend
using separate client-ids per application. Of course, this is based on our own personal
configuration where we have a few separate client-ids (less than 5). Perhaps someone with
a more extensible setup could offer you a better recommendation.
-----Original Message-----
From: "Haim Vana" <haimv(a)perfectomobile.com>
Sent: Sunday, December 18, 2016 5:28am
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Subject: [keycloak-user] Offline tokens clients best practice
Hi,
We noticed that when working with offline tokens the same client that generated the
offline token must be the one that will generate an access token from it, if we use
different client we getting an error message.
This approach might be problematic since we have users that want to use multiple
applications and the shouldn't be aware of the client id or from which application
they generated the offline token.
So we would like to use single client for generating the offline tokens and generating
access tokens from them for all of our applications, is it the best practice ? any known
disadvantages to that approach ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from
disclosure, and may be privileged. The information is intended to be conveyed only to the
designated recipient(s) of the message. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or copying of
this communication is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to the message and
deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user