[keycloak-user] Customize OpenID/OAuth token

[Francisco Javier Crujeiras]

Hi,

We're thinking on using Keycloak as our main IDP and SSO solution. At this
time, we're using a "custom" IDP server based on Spring and we are
investigating if we can migrate our client database to Keycloak without
disturbing our users.

So, we have seen that, by default, Keycloak answers a token request with a
complete JWT token, like this one:
{
"access_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEWk4wX1liZUZGNFZMUVdxQ2NWMGFWd0VFbXBlUGlnX1NFaWk3dkozSGRvIn0.eyJqdGkiOiI5YTc4MTY5NC04MGUwLTQ2OTEtOGY3Yi00MzQ5MzA3ZTBkYWIiLCJleHAiOjE1NDM1NzMxMDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOlsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImFjY291bnQiXSwic3ViIjoiYzgxNzYzNjgtMGI5NS00MWFmLTgzZDUtZTk4N2Y0ZWVlYTg3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE3Mi4xOC4wLjEiLCJjbGllbnRJZCI6Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtciIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTguMC4xIiwiZW1haWwiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtckBwbGFjZWhvbGRlci5vcmcifQ.BgF6v7VQGO4vH4Z0VLFZmiO1CARpaoE1V7MjaNIJB85QORfk3L431VFQr3WJdT5ZBeC0Q5mB5LB7f9gLAd2lso4P9AegYAi8PmjJRvI-oL59Qe0PfDn8fjfZdaC8i3K0ZrZNDS9ivTdqL-8Gvq2C1l8x4tZaSxw1Yu8hxrWEfgOfATdn9XL5cbYXWRkm6AoJkVFVd300fPr0k6f67Jb4WOJP72692g8QRTWkqCrZyz0DrJxgg7fSX6M_0bxOa-JOidmGuJIwScciT1b5IVvvcQi3hx4UMwRQFunq1j2T7iRCT_LB99oP480KtoSXyCUS3dDzj6wCp4BEHb5K792isg"
,
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token":
"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhNmQzZTgzZi1iZGUxLTQ3YjgtYmQ4Yy1hMjVhNDdjMmExZTYifQ.eyJqdGkiOiJmZWZhNTRjZS1hMjA0LTQ2NjAtODNkMC1kNDE0OWQwOTU0YWMiLCJleHAiOjE1NDM1NzQ2MDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJzdWIiOiJjODE3NjM2OC0wYjk1LTQxYWYtODNkNS1lOTg3ZjRlZWVhODciLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIn0.WTW9TwMnx4DSzRlLkDj_uXgabFAAUD4wDB5D084GMdY"
,
"token_type": "bearer",
"not-before-policy": 0,
"session_state": "72ecb798-db58-4161-8e09-4aaedb2eab8f",
"scope": "profile email"
}

But, we'd like to send a "non-JWT" token, like this one:
{

"access_token": "laskddjfnasdf7-fas45nfdsa-56kr-8uy7-fasd87fyasdf",
"token_type": "bearer",
"expires_in": 3600,
"scope": "scope-1 scope-2 scope-n"
}

We're not very experienced in Keycloak and we do not know if this is even
possible, but any help will make us very happy.

Thanks in advance!

Regards,