[keycloak-dev] Authorization code and refresh tokens in cross DC

Stian Thorgersen sthorger at redhat.com
Wed Mar 22 03:49:45 EDT 2017

One problem with authorization codes and refresh tokens in cross DC setups
is the fact that they are supposed to be one-time only.

We could have an option on a realm to set if they are one-time or not (we
already do for refresh tokens). If they are one-time we have a separate
synchronously replicated cache to handle.

Question though would it be acceptable that they are not one-time? It does
imposed a certain risk as it wouldn't be possible to detect if they are

For example imagine someone somehow manages to sniff all codes sent to an
application (say it's a public application since that doesn't require
credentials). They can then exchange the code for tokens alongside the real
application. As the codes are not one-time this goes undetected. If codes
on the other hand are undetected the realm application will either be the
only one to exchange the code, or it will notice something is not right.
This issue may be resolved by the introduction of Proof Key for Code
Exchange [1] though.

For refresh tokens sure it would be nice to be able to detect leakage, but
one-time is fairly brittle as HTTP requests are not transactional so you
can easily end up with loosing a response which would render the old
refresh token useless and the new one lost.

[1] https://tools.ietf.org/html/rfc7636

More information about the keycloak-dev mailing list