[keycloak-user] Client Initiated Account Linking doubt
Tomás García
tomas at intrahouse.com
Thu May 4 14:18:36 EDT 2017
I see. I didn't know that the access token was another JWS token like the
ID Token:
https://github.com/keycloak/keycloak/blob/29c0fe564ce01c5cbfb1ca42e15bc7e25efb75b5/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L781
I didn't see in the OpenID Connect standard that the access token carried
information, unlike the ID Token. That explains the so long access tokens
from Keycloak... Carrying info is optional in the standard:
https://tools.ietf.org/html/rfc6749#section-1.4 It should be explained in
the Keycloak docs (unless I missed it).
Thanks, Bill.
On Thu, May 4, 2017 at 5:17 PM Bill Burke <bburke at redhat.com> wrote:
> Non servlet apps should have access to the token too. client session
> and user session ids are in the token.
>
>
> On 5/4/17 6:44 AM, Tomás García wrote:
> > I'm looking at this doc:
> >
> https://keycloak.gitbooks.io/documentation/server_development/topics/identity-brokering/account-linking.html
> >
> > And unless your app lives inside a Java servlet guarded by Keycloak,
> > there's no way to use this feature, right? Due to the hash generation. I
> > don't see a way to get a client / user session Id since they're internal
> > stuff in Keycloak associated thanks to the cookie in the user's browser.
> I
> > get why it's needed though and I don't see any good alternative right now
> > for non-servlet apps (OpenID Connect enabled apps made in other languages
> > for instance)... but it's unfortunate that the doc doesn't clarify it.
> >
> > Thanks.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list