<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">

<div>&#43;1 on this, but I understand the time constraints.</div>

<div><br>

</div>

<span id="OLK_SRC_BODY_SECTION">

<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">

<span style="font-weight:bold">From: </span>&lt;<a href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a>&gt; on behalf of Bill Burke &lt;<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>&gt;<br>

<span style="font-weight:bold">Date: </span>Monday, February 8, 2016 at 12:22 PM<br>

<span style="font-weight:bold">To: </span>&quot;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&quot; &lt;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>

<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] access_token always contains JWT<br>

</div>

<div><br>

</div>

<div>

<div bgcolor="#FFFFFF" text="#000000">Yes.&nbsp; We want that.&nbsp; Just too busy :)<br>

<br>

<div class="moz-cite-prefix">On 2/8/2016 12:16 PM, Scott Rossillo wrote:<br>

</div>

<blockquote cite="mid:E13F86C3-409C-4351-A972-A0872D274D95@smartling.com" type="cite">

<div class="">Opaque access tokens are an interesting idea for security reasons. I&#8217;ve heard them referred to as &quot;by reference&quot; access tokens because the actual JWT access token has to be stored somewhere. The OpenID spec doesn&#8217;t address this but it&#8217;s a solid

 idea for access tokens exposed to external applications, which do not need to be concerned with, or possibly shouldn&#8217;t be privy to the information inside the token.</div>

<div class=""><br class="">

</div>

<div class="">There&#8217;s another option that may be more manageable. That is to offer a per client option of encrypting the access token, known as JWE, or JSON Web Encryption[0]. The basic idea is that the signed token is then encrypted with a symmetrical key.

 This key would probably be a realm level key. Another benefit or JWE is the access token payload is compressed, making the access token shorter.</div>

<div class=""><br class="">

</div>

<div class="">Is this something we would be interested in adding support for?</div>

<div class=""><br class="">

</div>

<div class="">[0]:&nbsp;<a moz-do-not-send="true" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40" class="">https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40</a></div>

<br class="">

<div class="">

<div class="">Scott Rossillo</div>

<div class="">Smartling | Senior Software Engineer</div>

<div class=""><a moz-do-not-send="true" href="mailto:srossillo@smartling.com" class="">srossillo@smartling.com</a></div>

<div class=""><br class="">

</div>

</div>

<div>

<blockquote type="cite" class="">

<div class="">On Feb 5, 2016, at 9:17 AM, <a moz-do-not-send="true" href="mailto:manfred.duchrow@caprica.biz" class="">

</a><a class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">manfred.duchrow@caprica.biz</a> wrote:</div>

<br class="Apple-interchange-newline">

<div class="">

<div bgcolor="#FFFFFF" text="#000000" class=""><font class="" face="Arial">Yes, that's true (even for some open source software too).<br class="">

So am I supposed to put this JWT access token into the Authorization request header as Bearer value to authorize a request?<br class="">

The access token I got from Keycloak is over 5000 characters long!<br class="">

<br class="">

</font><br class="">

<div class="moz-cite-prefix">On 05.02.2016 13:47, Raghuram Prabhala wrote:<br class="">

</div>

<blockquote cite="mid:355538146.1756649.1454676424011.JavaMail.yahoo@mail.yahoo.com" type="cite" class="">

<div style="background-color: rgb(255, 255, 255);

                  font-family: 'Courier New', courier, monaco,

                  monospace, sans-serif; font-size: 13px;" class="">

<div id="yui_3_16_0_1_1454674140461_3821" dir="ltr" class=""><span id="yui_3_16_0_1_1454674140461_3820" class="">Access token is implementation specific. Some commercial software have the concept of &quot;reference tokens&quot; which are nothing but random strings indicated

 below. The clients have to query back the Authorization server to get a validated JWT token</span></div>

<div dir="ltr" id="yui_3_16_0_1_1454674140461_5172" class=""><br class="">

</div>

<div class="qtdSeparateBR"><br class="">

<br class="">

</div>

<div class="yahoo_quoted" id="yui_3_16_0_1_1454674140461_5186" style="display:

                    block;">

<div style="font-family: Courier New, courier,

                      monaco, monospace, sans-serif; font-size: 13px;" id="yui_3_16_0_1_1454674140461_5185" class="">

<div style="font-family: HelveticaNeue, Helvetica

                        Neue, Helvetica, Arial, Lucida Grande,

                        sans-serif; font-size: 16px;" id="yui_3_16_0_1_1454674140461_5184" class="">

<div dir="ltr" id="yui_3_16_0_1_1454674140461_5183" class=""><font id="yui_3_16_0_1_1454674140461_5182" class="" size="2" face="Arial">

<hr class="" size="1">

<b class=""><span style="font-weight:bold;" class="">From:</span></b> Stian Thorgersen

<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:sthorger@redhat.com">

&lt;sthorger@redhat.com&gt;</a><br class="">

<b class=""><span style="font-weight: bold;" class="">To:</span></b> <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">

</a><a class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">manfred.duchrow@caprica.biz</a><br class="">

<b class=""><span style="font-weight: bold;" class="">Cc:</span></b> keycloak-user

<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:keycloak-user@lists.jboss.org">

</a><a class="moz-txt-link-rfc2396E" href="mailto:keycloak-user@lists.jboss.org">&lt;keycloak-user@lists.jboss.org&gt;</a><br class="">

<b class=""><span style="font-weight: bold;" class="">Sent:</span></b> Friday, February 5, 2016 7:10 AM<br class="">

<b class=""><span style="font-weight: bold;" class="">Subject:</span></b> Re: [keycloak-user] access_token always contains JWT<br class="">

</font></div>

<div class="y_msg_container" id="yui_3_16_0_1_1454674140461_5189"><br class="">

<div id="yiv0521677882" class="">

<div id="yui_3_16_0_1_1454674140461_5188" class="">

<div dir="ltr" id="yui_3_16_0_1_1454674140461_5187" class="">There's no such thing as a &quot;simple token&quot;. Tokens are always a signed JWT.</div>

<div class="yiv0521677882gmail_extra" id="yui_3_16_0_1_1454674140461_5191"><br class="" clear="none">

<div class="yiv0521677882gmail_quote" id="yui_3_16_0_1_1454674140461_5190">On 5 February 2016 at 11:17,

<span dir="ltr" class="">&lt;<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz"></a><a class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.biz">manfred.duchrow@caprica.biz</a>&gt;</span> wrote:<br class="" clear="none">

<blockquote class="yiv0521677882gmail_quote" style="margin:0 0 0

                                    .8ex;border-left:1px #ccc

                                    solid;padding-left:1ex;" id="yui_3_16_0_1_1454674140461_5195">

<div class="yiv0521677882yqt1765160907" id="yiv0521677882yqt70160">

<div id="yui_3_16_0_1_1454674140461_5194" class="">

<div style="font-family:-moz-fixed;font-size:14px;" id="yui_3_16_0_1_1454674140461_5193" class="" lang="x-unicode">

<pre id="yui_3_16_0_1_1454674140461_5192" class="">Hi,

I am trying to retrieve an access token from a Keycloak (1.8.0.Final)

service account by

POST /auth/realms/myrealm/protocol/openid-connect/token

with grant_type=client_credentials.

The result contains a signed JWT as value of field &quot;access_token&quot; rather

than a simple token

as described in chapter 18 (Service Accounts) of the user guide.

So what I expect (need) is a response like this:

{

    &quot;access_token&quot;:&quot;2YotnFZFEjr1zCsicMWpAA&quot;,

    &quot;token_type&quot;:&quot;bearer&quot;,

    &quot;expires_in&quot;:60,

    &quot;refresh_token&quot;:&quot;tGzv3JOkF0XG5Qx2TlKWIA&quot;,

    &quot;refresh_expires_in&quot;:600,

    &quot;id_token&quot;:&quot;tGzv3JOkF0XG5Qx2TlKWIA&quot;,

    &quot;not-before-policy&quot;:0,

    &quot;session-state&quot;:&quot;234234-234234-234234&quot;

}

Is there a way to configure the account or the realm to return a simple

token

in &quot;access_token&quot; (and &quot;refresh_token&quot;) rather than a JWT?

Cheers,

  Manfred

</pre>

</div>

</div>

</div>

<br class="" clear="none">

_______________________________________________<br class="" clear="none">

keycloak-user mailing list<br class="" clear="none">

<a moz-do-not-send="true" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" target="_blank" href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="" clear="none">

<a moz-do-not-send="true" rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class="" clear="none">

</blockquote>

</div>

<br class="" clear="none">

</div>

</div>

</div>

<br class="">

<div class="yqt1765160907" id="yqt35967">_______________________________________________<br class="" clear="none">

keycloak-user mailing list<br class="" clear="none">

<a moz-do-not-send="true" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="" clear="none">

<a moz-do-not-send="true" shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>

<br class="">

<br class="">

</div>

</div>

</div>

</div>

</div>

</blockquote>

<br class="">

<pre class="moz-signature" cols="72">-- 

========================================

Caprica Ltd.

69 Great Hampton Street

Birmingham, West Midlands, B186EW, 

Registered in England and Wales

Company No. 5298548

Managing Director: Manfred Duchrow

Zweigniederlassung Deutschland

Gartenstr. 48, 89150 Laichingen

Amtsgericht Ulm: HRB 5073

Gesch�ftsf�hrer: Manfred Duchrow

----------------------------------------

Tel:    &#43;49 (0)7333 9232190

Fax:    &#43;49 (0)7333 9232191

E-Mail: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:manfred.duchrow@caprica.de">manfred.duchrow@caprica.de</a>

========================================</pre>

</div>

_______________________________________________<br class="">

keycloak-user mailing list<br class="">

<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">

<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>

</blockquote>

</div>

<br class="">

<br>

<fieldset class="mimeAttachmentHeader"></fieldset> <br>

<pre wrap="">_______________________________________________

keycloak-user mailing list

<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>

</blockquote>

<br>

<pre class="moz-signature" cols="72">-- 

Bill Burke

JBoss, a division of Red Hat

<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>

</div>

</div>

</span>

</body>

</html>