[keycloak-user] Exception after changing roles
Stian Thorgersen
stian at redhat.com
Thu Aug 20 10:23:04 EDT 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 20 August, 2015 4:18:24 PM
> Subject: Re: [keycloak-user] Exception after changing roles
>
>
>
> On 8/20/2015 3:18 AM, Stian Thorgersen wrote:
> > +1 We should just update the access token with new details and roles
> >
> > Not sure if this is really an issue, but would there be a case where an
> > application caches the claims in the token? I don't think there is, but if
> > we do update the token we should make it 100% clear in the docs that this
> > will happen.
> >
>
> The problem is consent. If a client requires consent, you can't add new
> details to the token without that consent. Looks like we don't check
> for that, we should.
I would say new token should contain the details the users has + what details the clients is permitted to, and when we can't ask for user consent that equates to the client not being permitted.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-user
mailing list