[keycloak-dev] Notify clients on client configuration changes in Keycloak
sthorger at redhat.com
Fri Mar 10 01:30:49 EST 2017
I'm not keen on that as it wouldn't be standards compliant. Could also
require a lot of messages to a lot of clients when roles are modified.
I think it can just be handled on the client side. If it gets a 403, get a
new token and try again.
On 9 March 2017 at 23:46, Thomas Darimont <thomas.darimont at googlemail.com>
> Hello group,
> I have a service which is registered as an OIDC client with service
> accounts enabled.
> If the service obtained an access_token with client_credentials grant
> it contains the service account roles assigned to that client at the moment
> the token was issued.
> The service now uses the access_token to make calls to other services.
> As long as the access_token is valid the service reuses the access_token.
> If one now changes the service account role configuration of the client in
> the new roles are NOT visible to the service until it obtains a new
> access_token with
> the new role assignment - which can take a while depending on the
> configured token lifetime.
> It would be helpful if Keycloak could notify clients (perhaps via Webhook?)
> about client
> configuration changes (roles, mappers, scopes, etc.) - services could then
> suitable action e.g. obtain a new access_token.
> What do you think?
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev