[keycloak-user] Which OpenID Connect Flow to Use?
Bill Burke
bburke at redhat.com
Thu Mar 31 13:40:03 EDT 2016
The Keycloak admin console is a pure HTML5/Javascript/Angular
application. It is a public client that uses the keycloak.js adapter.
It uses the authorization code grant flow (standard). The admin console
app is registered as a client under the realm with precise allowed
redirect URIs. CORS is used at the REST api to additional ensure that
the correct origins are communicating with it. This ensures that only
the admin console can initiate authentication and that only the admin
console can participate in the auth code grant flow and only the admin
console (through CORS and bearer tokens) can invoke on the REST API.
On 3/31/2016 1:17 PM, Jared Sprague wrote:
> Hello!
> We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs. What are example uses cases for both flows? When would you use one vs the other?
>
> Here is the general use case we are trying to solve.
>
> 1. A user logs in and receives an access_token.
> 1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token.
> 2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request.
> 3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app.
>
> The above flow should be able to continue anytime throughout the duration of the SSO session. So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid?
>
> Standard Flow
> http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
>
> Implicit Flow
> http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
>
> Thank you!
> - Jared Sprague
> access.redhat.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list