You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello everyone,
I would like to start a discussion on making features of Token Manager (TokenManager.java) pluggable.
Motivation
The current keycloak implement features of processing tokens (e.g. generate, verify, refresh) by TokenManger.
Logics of these features depends on client's settings. Such examples are as follows:
Whether using a refresh token or not.
Whether using a refresh token or not in Client Credentials Grant.
Whether making tokens Holder-of-Key tokens.
Whether using "Bearer" or "bearer" as a token format.
IMO, this way of changing logics have the following problems:
Need to add/modify codes of TokenManager. It might not be preferable to modify keycloak's body codes for its customization.
Need to add/modify client settings. It might not be preferable to add clent settings because the current keycloak has already a lot of client settings (about 110 in keycloak 15) and managerial cost of them increases.
To resolve the problems, I would like to propose the following way:
Features of processing tokens can be implemented as a SPI provider.
Instead of client settings, use client policies to change logics of these features. When evaluating client policies, it selects an implementation of such provider.
The current logics of TokenManager is implemented as a default such provider.
WDYT?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello everyone,
I would like to start a discussion on making features of Token Manager (TokenManager.java) pluggable.
Motivation
The current keycloak implement features of processing tokens (e.g. generate, verify, refresh) by
TokenManger.Logics of these features depends on client's settings. Such examples are as follows:
IMO, this way of changing logics have the following problems:
TokenManager. It might not be preferable to modify keycloak's body codes for its customization.To resolve the problems, I would like to propose the following way:
The current logics of
TokenManageris implemented as a default such provider.WDYT?
Beta Was this translation helpful? Give feedback.
All reactions