[keycloak-user] Which OpenID Connect Flow to Use?

Jared Sprague jsprague at redhat.com
Thu Mar 31 13:17:19 EDT 2016

We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs.  What are example uses cases for both flows?  When would you use one vs the other?

Here is the general use case we are trying to solve.

1. A user logs in and receives an access_token.
1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token.
2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request.
3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app.

The above flow should be able to continue anytime throughout the duration of the SSO session.  So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid?

Standard Flow

Implicit Flow

Thank you!
- Jared Sprague

More information about the keycloak-user mailing list