<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>&#43;1 on this, but I understand the time constraints.</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>&lt;<a href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a>&gt; on behalf of Bill Burke &lt;<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>&gt;<br>
<span style="font-weight:bold">Date: </span>Monday, February 8, 2016 at 12:22 PM<br>
<span style="font-weight:bold">To: </span>&quot;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&quot; &lt;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] access_token always contains JWT<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">Yes.&nbsp; We want that.&nbsp; Just too busy :)<br>
<br>
<div class="moz-cite-prefix">On 2/8/2016 12:16 PM, Scott Rossillo wrote:<br>
</div>
<blockquote cite="mid:E13F86C3-409C-4351-A972-A0872D274D95@smartling.com" type="cite">
<div class="">Opaque access tokens are an interesting idea for security reasons. I&#8217;ve heard them referred to as &quot;by reference&quot; access tokens because the actual JWT access token has to be stored somewhere. The OpenID spec doesn&#8217;t address this but it&#8217;s a solid
 idea for access tokens exposed to external applications, which do not need to be concerned with, or possibly shouldn&#8217;t be privy to the information inside the token.</div>
<div class=""><br class="">
</div>
<div class="">There&#8217;s another option that may be more manageable. That is to offer a per client option of encrypting the access token, known as JWE, or JSON Web Encryption[0]. The basic idea is that the signed token is then encrypted with a symmetrical key.
 This key would probably be a realm level key. Another benefit or JWE is the access token payload is compressed, making the access token shorter.</div>
<div class=""><br class="">
</div>
<div class="">Is this something we would be interested in adding support for?</div>
<div class=""><br class="">
</div>
<div class="">[0]:&nbsp;<a moz-do-not-send="true" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40" class="">https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40</a></div>
<br class="">
<div class="">
<div class="">Scott Rossillo</div>
<div class="">Smartling | Senior Software Engineer</div>
<div class=""><a moz-do-not-send="true" href="mailto:srossillo@smartling.com" class="">srossillo@smartling.com</a></div>
<div class=""><br class="">
</div>
</div>
<div>
<blockquote type="cite" class="">
<div class="">On Feb 5, 2016, at 9:17 AM, <a moz-do-not-send="true" href="mailto:manfred.duchrow@caprica.biz" class="">
</a><a class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">manfred.duchrow@caprica.biz</a> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div bgcolor="#FFFFFF" text="#000000" class=""><font class="" face="Arial">Yes, that's true (even for some open source software too).<br class="">
So am I supposed to put this JWT access token into the Authorization request header as Bearer value to authorize a request?<br class="">
The access token I got from Keycloak is over 5000 characters long!<br class="">
<br class="">
</font><br class="">
<div class="moz-cite-prefix">On 05.02.2016 13:47, Raghuram Prabhala wrote:<br class="">
</div>
<blockquote cite="mid:355538146.1756649.1454676424011.JavaMail.yahoo@mail.yahoo.com" type="cite" class="">
<div style="background-color: rgb(255, 255, 255);
                  font-family: 'Courier New', courier, monaco,
                  monospace, sans-serif; font-size: 13px;" class="">
<div id="yui_3_16_0_1_1454674140461_3821" dir="ltr" class=""><span id="yui_3_16_0_1_1454674140461_3820" class="">Access token is implementation specific. Some commercial software have the concept of &quot;reference tokens&quot; which are nothing but random strings indicated
 below. The clients have to query back the Authorization server to get a validated JWT token</span></div>
<div dir="ltr" id="yui_3_16_0_1_1454674140461_5172" class=""><br class="">
</div>
<div class="qtdSeparateBR"><br class="">
<br class="">
</div>
<div class="yahoo_quoted" id="yui_3_16_0_1_1454674140461_5186" style="display:
                    block;">
<div style="font-family: Courier New, courier,
                      monaco, monospace, sans-serif; font-size: 13px;" id="yui_3_16_0_1_1454674140461_5185" class="">
<div style="font-family: HelveticaNeue, Helvetica
                        Neue, Helvetica, Arial, Lucida Grande,
                        sans-serif; font-size: 16px;" id="yui_3_16_0_1_1454674140461_5184" class="">
<div dir="ltr" id="yui_3_16_0_1_1454674140461_5183" class=""><font id="yui_3_16_0_1_1454674140461_5182" class="" size="2" face="Arial">
<hr class="" size="1">
<b class=""><span style="font-weight:bold;" class="">From:</span></b> Stian Thorgersen
<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:sthorger@redhat.com">
&lt;sthorger@redhat.com&gt;</a><br class="">
<b class=""><span style="font-weight: bold;" class="">To:</span></b> <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">
</a><a class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">manfred.duchrow@caprica.biz</a><br class="">
<b class=""><span style="font-weight: bold;" class="">Cc:</span></b> keycloak-user
<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:keycloak-user@lists.jboss.org">
</a><a class="moz-txt-link-rfc2396E" href="mailto:keycloak-user@lists.jboss.org">&lt;keycloak-user@lists.jboss.org&gt;</a><br class="">
<b class=""><span style="font-weight: bold;" class="">Sent:</span></b> Friday, February 5, 2016 7:10 AM<br class="">
<b class=""><span style="font-weight: bold;" class="">Subject:</span></b> Re: [keycloak-user] access_token always contains JWT<br class="">
</font></div>
<div class="y_msg_container" id="yui_3_16_0_1_1454674140461_5189"><br class="">
<div id="yiv0521677882" class="">
<div id="yui_3_16_0_1_1454674140461_5188" class="">
<div dir="ltr" id="yui_3_16_0_1_1454674140461_5187" class="">There's no such thing as a &quot;simple token&quot;. Tokens are always a signed JWT.</div>
<div class="yiv0521677882gmail_extra" id="yui_3_16_0_1_1454674140461_5191"><br class="" clear="none">
<div class="yiv0521677882gmail_quote" id="yui_3_16_0_1_1454674140461_5190">On 5 February 2016 at 11:17,
<span dir="ltr" class="">&lt;<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz"></a><a class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">manfred.duchrow@caprica.biz</a>&gt;</span> wrote:<br class="" clear="none">
<blockquote class="yiv0521677882gmail_quote" style="margin:0 0 0
                                    .8ex;border-left:1px #ccc
                                    solid;padding-left:1ex;" id="yui_3_16_0_1_1454674140461_5195">
<div class="yiv0521677882yqt1765160907" id="yiv0521677882yqt70160">
<div id="yui_3_16_0_1_1454674140461_5194" class="">
<div style="font-family:-moz-fixed;font-size:14px;" id="yui_3_16_0_1_1454674140461_5193" class="" lang="x-unicode">
<pre id="yui_3_16_0_1_1454674140461_5192" class="">Hi,

I am trying to retrieve an access token from a Keycloak (1.8.0.Final)
service account by
POST /auth/realms/myrealm/protocol/openid-connect/token
with grant_type=client_credentials.

The result contains a signed JWT as value of field &quot;access_token&quot; rather
than a simple token
as described in chapter 18 (Service Accounts) of the user guide.

So what I expect (need) is a response like this:

{
    &quot;access_token&quot;:&quot;2YotnFZFEjr1zCsicMWpAA&quot;,
    &quot;token_type&quot;:&quot;bearer&quot;,
    &quot;expires_in&quot;:60,
    &quot;refresh_token&quot;:&quot;tGzv3JOkF0XG5Qx2TlKWIA&quot;,
    &quot;refresh_expires_in&quot;:600,
    &quot;id_token&quot;:&quot;tGzv3JOkF0XG5Qx2TlKWIA&quot;,
    &quot;not-before-policy&quot;:0,
    &quot;session-state&quot;:&quot;234234-234234-234234&quot;
}

Is there a way to configure the account or the realm to return a simple
token
in &quot;access_token&quot; (and &quot;refresh_token&quot;) rather than a JWT?

Cheers,
  Manfred


</pre>
</div>
</div>
</div>
<br class="" clear="none">
_______________________________________________<br class="" clear="none">
keycloak-user mailing list<br class="" clear="none">
<a moz-do-not-send="true" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" target="_blank" href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="" clear="none">
<a moz-do-not-send="true" rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class="" clear="none">
</blockquote>
</div>
<br class="" clear="none">
</div>
</div>
</div>
<br class="">
<div class="yqt1765160907" id="yqt35967">_______________________________________________<br class="" clear="none">
keycloak-user mailing list<br class="" clear="none">
<a moz-do-not-send="true" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="" clear="none">
<a moz-do-not-send="true" shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
<br class="">
<br class="">
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
<pre class="moz-signature" cols="72">-- 
========================================
Caprica Ltd.
69 Great Hampton Street
Birmingham, West Midlands, B186EW, 
Registered in England and Wales
Company No. 5298548
Managing Director: Manfred Duchrow

Zweigniederlassung Deutschland
Gartenstr. 48, 89150 Laichingen
Amtsgericht Ulm: HRB 5073
Geschäftsführer: Manfred Duchrow
----------------------------------------
Tel:    &#43;49 (0)7333 9232190
Fax:    &#43;49 (0)7333 9232191
E-Mail: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.de">manfred.duchrow@caprica.de</a>
========================================</pre>
</div>
_______________________________________________<br class="">
keycloak-user mailing list<br class="">
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</blockquote>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">-- 
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</div>
</div>
</span>
</body>
</html>