[keycloak-dev] Cross-DC and codeToToken request
Marek Posolda
mposolda at redhat.com
Tue May 23 04:41:19 EDT 2017
On 22/05/17 15:16, Bill Burke wrote:
>>> 4) Is it ok to have option to relax on code one-time use? Otherwise in
>>> cross-DC and without sticky session, the every code exchange may require
>>> SYNC request to another DCs to doublecheck code was not used already.
>>> Not good for performance..
>>>
>> Maybe this is OK. Confidential apps needs credentials and then
>> there's Proof Key for Code Exchange for public clients. Although the latter
>> may be another issue in cross-DC?
>>
>>
>>> For now, I can see some combination of 1,3,4 as a way to go. WDYT?
>>> Marek
> I think 1 and 4 will hobble us for future things we want to do.
Ok, I understand 1 may be problematic for some scenarios and won't do
it. But what exactly is a blocker for relax on code one-time use?
I am thinking that code will be still single-use by default as it's
required per OAuth2/OIDC specs. However admins, who prefer performance
over security, may choose to relax strict code one-time use. This may be
new option - not sure whether configurable per realm or per client. I
can see it's likely ok in some environments (private corporate networks
etc) ?
Marek
More information about the keycloak-dev
mailing list