[keycloak-dev] Notify clients on client configuration changes in Keycloak
Thomas Darimont
thomas.darimont at googlemail.com
Thu Mar 9 17:46:49 EST 2017
Hello group,
I have a service which is registered as an OIDC client with service
accounts enabled.
If the service obtained an access_token with client_credentials grant
it contains the service account roles assigned to that client at the moment
the token was issued.
The service now uses the access_token to make calls to other services.
As long as the access_token is valid the service reuses the access_token.
If one now changes the service account role configuration of the client in
Keycloak
the new roles are NOT visible to the service until it obtains a new
access_token with
the new role assignment - which can take a while depending on the
configured token lifetime.
It would be helpful if Keycloak could notify clients (perhaps via Webhook?)
about client
configuration changes (roles, mappers, scopes, etc.) - services could then
take
suitable action e.g. obtain a new access_token.
What do you think?
Cheers,
Thomas
More information about the keycloak-dev
mailing list