[keycloak-user] Access tokens in Queue based systems
Pavel Micka
Pavel.Micka at zoomint.com
Tue Aug 13 03:11:32 EDT 2019
Hello everyone,
We are using Keycloak (OIDC) in our system and it has proven to be a great solution for http based communication. But we have slight issue with figuring out how to correctly pass the access tokens through queues. The point is that we have a partially a streaming system and we want to make sure that if an attacker manages to send the messages to Rabbit, the messages will not be authorized by clients. That is the theory.
We can send the access tokens through the queue... but the messages may rot in the queue for quite some time (our SLA is in hours), so that would mean long validity of the token (and that may cause issues in case the token is somehow leaked).
Better option would be to have a long validity token, but scope it to the content of the message. But you know...streaming application... there can be thousands of messages a second. And that may cause big scalability issues when bombarding keycloak for each and every message in the system.
Is there some better approach with OIDC? Or should I look on some additional non-KC solution?
Thanks!
Pavel
More information about the keycloak-user
mailing list