[keycloak-dev] User ids and usernames
stian at redhat.com
Thu Feb 6 11:05:52 EST 2014
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 6 February, 2014 3:59:24 PM
> Subject: Re: [keycloak-dev] User ids and usernames
> On 2/6/2014 10:47 AM, Stian Thorgersen wrote:
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 6 February, 2014 3:41:34 PM
> >> Subject: Re: [keycloak-dev] User ids and usernames
> >> Maybe just return additional information in the json response from
> >> obtaining an access token. The access token would just contain a link
> >> to user profile information. This reduces token size and yet allows
> >> pure REST Bearer Token services to get profile information if they
> >> desire it.
> > I agree some mechanism to retrieve the token + profile in the same request
> > would be nice, but IMO that's an performance optimization that can be done
> > later. Google for example only return the ID, and you need to go an
> > retrieve the profile if you want. I believe this is the way OpenID Connect
> > does it as well, as I'm using Google's OpenID connect endpoints to
> > retrieve the profile.
> Yeah, but wanting to know username, first, last, and/or email is just so
> common it should be optimzied.
Have you read OpenID Connect spec yet? Is there anything like that in there?
Could add a query param or a different endpoint that returns profile with token, or something like that. If it's embedded in token, token is bigger. There's also the case when we introduce refresh tokens you'll not want to return the profile then I suppose.
Can we introduce these changes now? Then add a JIRA for adding some mechanism to retrieve token + profile in one request soon?
> > There's also the case where you don't want to give an app access to your
> > full profile. Currently the token would have to have account/view-profile
> > role to be able to retrieve the profile.
> Keycloak knows the client's permissions. So that is not an issue.
> Bill Burke
> JBoss, a division of Red Hat
More information about the keycloak-dev