[keycloak-user] Which OpenID Connect Flow to Use?

Bill Burke bburke at redhat.com
Thu Mar 31 13:40:03 EDT 2016

The Keycloak admin console is a pure HTML5/Javascript/Angular 
application.  It is a public client that uses the keycloak.js adapter.  
It uses the authorization code grant flow (standard).  The admin console 
app is registered as a client under the realm with precise allowed 
redirect URIs.  CORS is used at the REST api to additional ensure that 
the correct origins are communicating with it.  This ensures that only 
the admin console can initiate authentication and that only the admin 
console can participate in the auth code grant flow and only the admin 
console (through CORS and bearer tokens) can invoke on the REST API.

On 3/31/2016 1:17 PM, Jared Sprague wrote:
> Hello!
> We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs.  What are example uses cases for both flows?  When would you use one vs the other?
> Here is the general use case we are trying to solve.
> 1. A user logs in and receives an access_token.
> 1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token.
> 2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request.
> 3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app.
> The above flow should be able to continue anytime throughout the duration of the SSO session.  So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid?
> Standard Flow
> http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
> Implicit Flow
> http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
> Thank you!
> - Jared Sprague
> access.redhat.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list