[keycloak-user] Any advice on using Offline or Real-time Access Token validation?
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Sun Mar 26 20:45:11 EDT 2017
Has anyone else had to make a decision which one to use? Any guidance or
thoughts you could share?
______________________________________________
I usually take a hybrid approach. Use offline e with short lived tokens
(1-2 minutes). That way a single app "request" would rarely require more
then a single refresh across multiple API calls but if the session is
terminated there's a much smaller amount of time that the token can be
abused.
This also depends on how sensitive the data/app is. If the data is really
sensitive I would suggest not going with offline tokens but that's
dependent on your appetite for risk.
More information about the keycloak-user
mailing list