[keycloak-dev] Why access code is in memory
Marek Posolda
mposolda at redhat.com
Fri Feb 21 03:12:33 EST 2014
ah yes, there is this in OAuth2 specs section 4.1.2:
If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code.
I wonder if Infinispan is the way to go? This will address both clustering (replication) and memory leak (expiration). Or you want to avoid this?
Marek
On 20.2.2014 21:34, Bill Burke wrote:
> I remember one of the reasons access code is in memory. When a code is
> turned into a token, the code is removed. Thus, the code can only be
> used once and only once to obtain an access token. This can be
> mitigated of course by timeouts on the access code.
>
More information about the keycloak-dev
mailing list