[keycloak-dev] Notify clients on client configuration changes in Keycloak

Stian Thorgersen sthorger at redhat.com
Fri Mar 10 01:30:49 EST 2017


I'm not keen on that as it wouldn't be standards compliant. Could also
require a lot of messages to a lot of clients when roles are modified.

I think it can just be handled on the client side. If it gets a 403, get a
new token and try again.

On 9 March 2017 at 23:46, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> Hello group,
>
> I have a service which is registered as an OIDC client with service
> accounts enabled.
> If the service obtained an access_token with client_credentials grant
> it contains the service account roles assigned to that client at the moment
> the token was issued.
>
> The service now uses the access_token to make calls to other services.
> As long as the access_token is valid the service reuses the access_token.
>
> If one now changes the service account role configuration of the client in
> Keycloak
> the new roles are NOT visible to the service until it obtains a new
> access_token with
> the new role assignment - which can take a while depending on the
> configured token lifetime.
>
> It would be helpful if Keycloak could notify clients (perhaps via Webhook?)
> about client
> configuration changes (roles, mappers, scopes, etc.) - services could then
> take
> suitable action e.g. obtain a new access_token.
>
> What do you think?
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list