[keycloak-dev] Client and Service Account Session

Pedro Igor Silva psilva at redhat.com
Mon Nov 13 09:52:56 EST 2017


Hi,

Currently, every time a confidential client tries to get a new access token
from the token endpoint a new session is created on the server. This can
lead to multiple active sessions for a single client/service account when
doing multiple requests to token endpoint.

To avoid that the client should store the access token/refresh token and
use a refresh token when appropriate in case the access token has expired.
That is fine.

Now, suppose a confidential client is deployed and wants an access token. A
new session will be created on the server. In case the application goes
down for some reason (e.g.: container moved to a different node in
kubernetes and without a persistent volume) and tries to get a new access
token, we may end-up with two active sessions when asking for a new token
after a re-deploy.

What are your thoughts about re-using existing sessions when doing client
credentials ? What could be the impact on clustering if we need (and we'll
probably need) to update the session ?

Another question would be ... Does make sense to also enable clients to
obtain tokens without necessarily creating a session on the server ? I
think that in most cases, you don't really want to keep track of sessions
when doing client credentials.

Regards.
Pedro Igor


More information about the keycloak-dev mailing list