[keycloak-user] Which OpenID Connect Flow to Use?

Bill Burke bburke at redhat.com
Fri Apr 1 13:37:17 EDT 2016 

I think implicit was intended for Javascript clients that didn't have an 
adapter.  I don't like it because access tokens become part of the 
browser history.

On 4/1/2016 12:29 PM, Jared Sprague wrote:
> Thanks for the response Bill!  So it sounds like from what you're saying that the Standard flow should work fine for us since it's what the admin app uses and it's an Angular app that talks to REST API.  Just out of curiosity, in what situation would implicit flow be used?
> Thanks!
> - Jared
>
> ----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, March 31, 2016 1:40:03 PM
> Subject: Re: [keycloak-user] Which OpenID Connect Flow to Use?
>
> The Keycloak admin console is a pure HTML5/Javascript/Angular
> application.  It is a public client that uses the keycloak.js adapter.
> It uses the authorization code grant flow (standard).  The admin console
> app is registered as a client under the realm with precise allowed
> redirect URIs.  CORS is used at the REST api to additional ensure that
> the correct origins are communicating with it.  This ensures that only
> the admin console can initiate authentication and that only the admin
> console can participate in the auth code grant flow and only the admin
> console (through CORS and bearer tokens) can invoke on the REST API.
>
> On 3/31/2016 1:17 PM, Jared Sprague wrote:
>> Hello!
>> We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs.  What are example uses cases for both flows?  When would you use one vs the other?
>>
>> Here is the general use case we are trying to solve.
>>
>> 1. A user logs in and receives an access_token.
>> 1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token.
>> 2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request.
>> 3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app.
>>
>> The above flow should be able to continue anytime throughout the duration of the SSO session.  So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid?
>>
>> Standard Flow
>> http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
>>
>> Implicit Flow
>> http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
>>
>> Thank you!
>> - Jared Sprague
>> access.redhat.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list