[keycloak-dev] Why access code is in memory

Marek Posolda mposolda at redhat.com
Fri Feb 21 03:12:33 EST 2014

ah yes, there is this in OAuth2 specs section 4.1.2:

If an authorization code is used more than
          once, the authorization server MUST deny the request and SHOULD
          revoke (when possible) all tokens previously issued based on
          that authorization code.

I wonder if Infinispan is the way to go? This will address both clustering (replication) and memory leak (expiration). Or you want to avoid this?


On 20.2.2014 21:34, Bill Burke wrote:
> I remember one of the reasons access code is in memory.  When a code is
> turned into a token, the code is removed.  Thus, the code can only be
> used once and only once to obtain an access token.  This can be
> mitigated of course by timeouts on the access code.

More information about the keycloak-dev mailing list