[keycloak-dev] stateless access codes committed, anything else?
Bill Burke
bburke at redhat.com
Mon Jun 30 08:32:23 EDT 2014
It is the "price to pay". We can shrink the timeout of the access code.
Right now it is 60 seconds. Also, Since we're already creating a
session, might as well have a "state" associated with the session.
On 6/30/2014 5:12 AM, Marek Posolda wrote:
> There is one small issue though, that now is possible to exchange same
> code for token multiple times. I am not sure if we already discuss this
> and decide that it's "price to pay" to have stateless TokenService.
> However OAuth2 specs is not so happy with this (See 4.1.2 and 10.5) .
> Did we consider saving codes (or exchanged codes) into DB and have some
> periodic task to cleanup them?
>
> Marek
>
> On 20.6.2014 16:43, Bill Burke wrote:
>> Is there anything else that is stateful about the token service?
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list