[keycloak-dev] Notify clients on client configuration changes in Keycloak

Thomas Darimont thomas.darimont at googlemail.com
Thu Mar 9 17:46:49 EST 2017

Hello group,

I have a service which is registered as an OIDC client with service
accounts enabled.
If the service obtained an access_token with client_credentials grant
it contains the service account roles assigned to that client at the moment
the token was issued.

The service now uses the access_token to make calls to other services.
As long as the access_token is valid the service reuses the access_token.

If one now changes the service account role configuration of the client in
the new roles are NOT visible to the service until it obtains a new
access_token with
the new role assignment - which can take a while depending on the
configured token lifetime.

It would be helpful if Keycloak could notify clients (perhaps via Webhook?)
about client
configuration changes (roles, mappers, scopes, etc.) - services could then
suitable action e.g. obtain a new access_token.

What do you think?


More information about the keycloak-dev mailing list