[keycloak-dev] ID Token claims in Access Token and Refresh Token

Stian Thorgersen stian at redhat.com
Wed Dec 3 09:01:19 EST 2014 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Wednesday, 3 December, 2014 2:39:14 PM
> Subject: Re: [keycloak-dev] ID Token claims in Access Token and Refresh Token
> 
> The one reason I can think of is bearer authentication. Currently we are
> doing it with accessToken and if we remove claims from accessToken, then
> bearer app won't be able to easily retrieve informations about user
> without sending another request to UserInfo endpoint. I agree that
> having userInfo in all tokens doesn't makes much sense, but not sure how
> to improve it. Some options:
> 1) Remove IDToken (but I guess we need it for OpenID connect support,
> right?)
> 2) Send both accessToken+idToken to bearer auth (but there is more
> network bandwith then)
> 3) Allow bearer apps to retrieve data from UserInfo, but that's another
> request to KC needed then
> 4) Keep as it is.

It would reduce the size of the access token. Could be by quite a few bytes when there's more and more claims added. Question is how does REST endpoints expect to retrieve these claims, and how many REST endpoints actually use the claims at all? Not sure how you would send the token separately as it's expected the authorization header contains the bearer token only.

> 
> For UserInfo we have endpoint on AccountManagement, which is used for
> example by keycloak.js (Keycloak.loadUserProfile). Or do you mean
> something different?

Something else as it should be OpenID Connect specific with the same fields as the ID Token.

> 
> Marek
> 
> 
> On 3.12.2014 08:55, Stian Thorgersen wrote:
> > As AccessToken and RefreshToken extends IDToken they contain the ID Token
> > claims. If I've read the spec correctly those claims should only be in the
> > ID Token. There should also be a separate UserInfo endpoint which we're
> > missing.
> >
> > Is there a reason why AccessToken extends IDToken, or can we remove that?
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
>

More information about the keycloak-dev mailing list