<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes. We want that. Just too busy :)<br>
<br>
<div class="moz-cite-prefix">On 2/8/2016 12:16 PM, Scott Rossillo
wrote:<br>
</div>
<blockquote
cite="mid:E13F86C3-409C-4351-A972-A0872D274D95@smartling.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div class="">Opaque access tokens are an interesting idea for
security reasons. I’ve heard them referred to as "by reference"
access tokens because the actual JWT access token has to be
stored somewhere. The OpenID spec doesn’t address this but it’s
a solid idea for access tokens exposed to external applications,
which do not need to be concerned with, or possibly shouldn’t be
privy to the information inside the token.</div>
<div class=""><br class="">
</div>
<div class="">There’s another option that may be more manageable.
That is to offer a per client option of encrypting the access
token, known as JWE, or JSON Web Encryption[0]. The basic idea
is that the signed token is then encrypted with a symmetrical
key. This key would probably be a realm level key. Another
benefit or JWE is the access token payload is compressed, making
the access token shorter.</div>
<div class=""><br class="">
</div>
<div class="">Is this something we would be interested in adding
support for?</div>
<div class=""><br class="">
</div>
<div class="">[0]: <a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40"
class="">https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40</a></div>
<br class="">
<div class="">
<div class="">Scott Rossillo</div>
<div class="">Smartling | Senior Software Engineer</div>
<div class=""><a moz-do-not-send="true"
href="mailto:srossillo@smartling.com" class="">srossillo@smartling.com</a></div>
<div class=""><br class="">
</div>
</div>
<div>
<blockquote type="cite" class="">
<div class="">On Feb 5, 2016, at 9:17 AM, <a
moz-do-not-send="true"
href="mailto:manfred.duchrow@caprica.biz" class=""><a class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">manfred.duchrow@caprica.biz</a></a>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class=""> <font
class="" face="Arial">Yes, that's true (even for some
open source software too).<br class="">
So am I supposed to put this JWT access token into the
Authorization request header as Bearer value to
authorize a request?<br class="">
The access token I got from Keycloak is over 5000
characters long!<br class="">
<br class="">
</font><br class="">
<div class="moz-cite-prefix">On 05.02.2016 13:47, Raghuram
Prabhala wrote:<br class="">
</div>
<blockquote
cite="mid:355538146.1756649.1454676424011.JavaMail.yahoo@mail.yahoo.com"
type="cite" class="">
<div style="background-color: rgb(255, 255, 255);
font-family: 'Courier New', courier, monaco,
monospace, sans-serif; font-size: 13px;" class="">
<div id="yui_3_16_0_1_1454674140461_3821" dir="ltr"
class=""><span id="yui_3_16_0_1_1454674140461_3820"
class="">Access token is implementation specific.
Some commercial software have the concept of
"reference tokens" which are nothing but random
strings indicated below. The clients have to query
back the Authorization server to get a validated
JWT token</span></div>
<div dir="ltr" id="yui_3_16_0_1_1454674140461_5172"
class=""><br class="">
</div>
<div class="qtdSeparateBR"><br class="">
<br class="">
</div>
<div class="yahoo_quoted"
id="yui_3_16_0_1_1454674140461_5186" style="display:
block;">
<div style="font-family: Courier New, courier,
monaco, monospace, sans-serif; font-size: 13px;"
id="yui_3_16_0_1_1454674140461_5185" class="">
<div style="font-family: HelveticaNeue, Helvetica
Neue, Helvetica, Arial, Lucida Grande,
sans-serif; font-size: 16px;"
id="yui_3_16_0_1_1454674140461_5184" class="">
<div dir="ltr"
id="yui_3_16_0_1_1454674140461_5183" class="">
<font id="yui_3_16_0_1_1454674140461_5182"
class="" size="2" face="Arial">
<hr class="" size="1"> <b class=""><span
style="font-weight:bold;" class="">From:</span></b>
Stian Thorgersen <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:sthorger@redhat.com"><sthorger@redhat.com></a><br
class="">
<b class=""><span style="font-weight: bold;"
class="">To:</span></b> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:manfred.duchrow@caprica.biz"><a class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">manfred.duchrow@caprica.biz</a></a>
<br class="">
<b class=""><span style="font-weight: bold;"
class="">Cc:</span></b> keycloak-user <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:keycloak-user@lists.jboss.org"><a class="moz-txt-link-rfc2396E" href="mailto:keycloak-user@lists.jboss.org"><keycloak-user@lists.jboss.org></a></a><br
class="">
<b class=""><span style="font-weight: bold;"
class="">Sent:</span></b> Friday,
February 5, 2016 7:10 AM<br class="">
<b class=""><span style="font-weight: bold;"
class="">Subject:</span></b> Re:
[keycloak-user] access_token always contains
JWT<br class="">
</font> </div>
<div class="y_msg_container"
id="yui_3_16_0_1_1454674140461_5189"><br
class="">
<div id="yiv0521677882" class="">
<div id="yui_3_16_0_1_1454674140461_5188"
class="">
<div dir="ltr"
id="yui_3_16_0_1_1454674140461_5187"
class="">There's no such thing as a
"simple token". Tokens are always a
signed JWT.</div>
<div class="yiv0521677882gmail_extra"
id="yui_3_16_0_1_1454674140461_5191"><br
class="" clear="none">
<div class="yiv0521677882gmail_quote"
id="yui_3_16_0_1_1454674140461_5190">On
5 February 2016 at 11:17, <span
dir="ltr" class=""><<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:manfred.duchrow@caprica.biz"><a class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">manfred.duchrow@caprica.biz</a></a>></span>
wrote:<br class="" clear="none">
<blockquote
class="yiv0521677882gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex;"
id="yui_3_16_0_1_1454674140461_5195">
<div
class="yiv0521677882yqt1765160907"
id="yiv0521677882yqt70160">
<div
id="yui_3_16_0_1_1454674140461_5194"
class="">
<div
style="font-family:-moz-fixed;font-size:14px;"
id="yui_3_16_0_1_1454674140461_5193" class="" lang="x-unicode">
<pre id="yui_3_16_0_1_1454674140461_5192" class="">Hi,
I am trying to retrieve an access token from a Keycloak (1.8.0.Final)
service account by
POST /auth/realms/myrealm/protocol/openid-connect/token
with grant_type=client_credentials.
The result contains a signed JWT as value of field "access_token" rather
than a simple token
as described in chapter 18 (Service Accounts) of the user guide.
So what I expect (need) is a response like this:
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":60,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"refresh_expires_in":600,
"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"not-before-policy":0,
"session-state":"234234-234234-234234"
}
Is there a way to configure the account or the realm to return a simple
token
in "access_token" (and "refresh_token") rather than a JWT?
Cheers,
Manfred
</pre>
</div>
</div>
</div>
<br class="" clear="none">
_______________________________________________<br class="" clear="none">
keycloak-user mailing list<br
class="" clear="none">
<a moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:keycloak-user@lists.jboss.org"
target="_blank"
href="mailto:keycloak-user@lists.jboss.org"
class="">keycloak-user@lists.jboss.org</a><br
class="" clear="none">
<a moz-do-not-send="true"
rel="nofollow" shape="rect"
target="_blank"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br
class="" clear="none">
</blockquote>
</div>
<br class="" clear="none">
</div>
</div>
</div>
<br class="">
<div class="yqt1765160907" id="yqt35967">_______________________________________________<br
class="" clear="none">
keycloak-user mailing list<br class=""
clear="none">
<a moz-do-not-send="true" shape="rect"
ymailto="mailto:keycloak-user@lists.jboss.org"
href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br
class="" clear="none">
<a moz-do-not-send="true" shape="rect"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
<br class="">
<br class="">
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
<pre class="moz-signature" cols="72">--
========================================
Caprica Ltd.
69 Great Hampton Street
Birmingham, West Midlands, B186EW,
Registered in England and Wales
Company No. 5298548
Managing Director: Manfred Duchrow
Zweigniederlassung Deutschland
Gartenstr. 48, 89150 Laichingen
Amtsgericht Ulm: HRB 5073
Geschäftsführer: Manfred Duchrow
----------------------------------------
Tel: +49 (0)7333 9232190
Fax: +49 (0)7333 9232191
E-Mail: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.de">manfred.duchrow@caprica.de</a>
========================================</pre>
</div>
_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br
class="">
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</blockquote>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>