[keycloak-dev] KEYCLOAK-884 - UserInfo Endpoint
Stian Thorgersen
stian at redhat.com
Fri Jan 16 09:07:10 EST 2015
----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 16 January, 2015 2:30:05 PM
> Subject: Re: [keycloak-dev] KEYCLOAK-884 - UserInfo Endpoint
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: keycloak-dev at lists.jboss.org
> > Sent: Thursday, January 15, 2015 5:07:22 PM
> > Subject: Re: [keycloak-dev] KEYCLOAK-884 - UserInfo Endpoint
> >
> >
> >
> > On 1/15/2015 12:40 PM, Pedro Igor Silva wrote:
> > > ----- Original Message -----
> > >> From: "Pedro Igor Silva" <psilva at redhat.com>
> > >> To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > >> Sent: Thursday, January 15, 2015 2:46:11 PM
> > >> Subject: KEYCLOAK-884 - UserInfo Endpoint
> > >>
> > >> Bill,
> > >>
> > >> Is the work you are doing for claims considering the respective
> > >> sections
> > >> in OpenID Connect specification ? To be more specific,
> > >> http://openid.net/specs/openid-connect-core-1_0.html#Claims.
> > >>
> > >> Depending on what you are doing, I think I would need to wait you
> > >> finish
> > >> in order to full support what is expected from the UserInfo
> > >> endpoint.
> > >> Meanwhile, I'm already doing everything that is necessary to get
> > >> the
> > >> endpoint up and running with a basic interoperability based on the
> > >> default scope values used to request claims (profile, email,
> > >> address,
> > >> phone).
> > >>
> > >> Btw, are you planning to configure any type of configuration in
> > >> order
> > >> to
> > >> setup the privacy of certain claims ?
> > >
> > > Forget about it. Just noticed you already have support for that.
> > >
> >
> > Nothing beyond a few claims though. Can't enter in address, phone, etc...
>
> I've submitted a PR for this issue. There are some changes to IDToken type
> that would like to share and discuss.
>
> Today, user claims are strongly tied with the IDToken type. They are there as
> properties of the type itself. From a token perspective, that is how they
> are represented but from an internal perspective I think we can improve it a
> little bit by introducing a specific type for user claims.
>
> IMO, a best design is to extract those specific claims from IDToken type and
> get them into a specific UserClaimSet, which also helps to avoid code
> duplication when claims are needed in different places. Just like we need it
> in UserInfo.
>
> That allow us to better represent/manage user claims internally and keep
> things more in sync with the specs, without break anything from a token
> representation or functionality perspective.
I'm not convinced about this. Other than IDToken and UserInfo endpoint I can't see any uses for this.
Also, I reckon this will change a fair bit by introducing custom user profiles. Internally I reckon we'll be using user profiles, not claim-set.
>
> Any thoughts ?
>
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list