[keycloak-user] Any advice on using Offline or Real-time Access Token validation?
Niels Bertram
nielsbne at gmail.com
Sun Mar 26 19:59:37 EDT 2017
We have a bunch of web and mobile apps and an API gateway that use Keycloak
OpenID Connect for security.
At the API gateway end, one has the choice of either validating an access
token using the cryptographic credentials from the identity server (offline
mode) or validate every message on the IdPs instrospection endpoint (real
time).
Using offline validation will not hit the IdP every time an app interacts
with the gateway, but we have the potential to allow transactions through
even though the user has signed out on the SSO server. Using the
introspection endpoint will allow users to sign out and stop all
transactions immediately.
I am concerned that using the real timme validation approach will make the
gateway uptime and performance absolutely dependent on the IdP and that the
IdP needs to be scaled at the rate of the API platform.
Has anyone else had to make a decision which one to use? Any guidance or
thoughts you could share?
More information about the keycloak-user
mailing list