Re: [keycloak-dev] ID Token claims in Access Token and Refresh Token
On 12/3/2014 2:55 AM, Stian Thorgersen wrote:
As AccessToken and RefreshToken extends IDToken they contain the ID
Token claims. If I've read the spec correctly those claims should only be in the ID
Token. There should also be a separate UserInfo endpoint which we're missing.
access and refresh tokens are opaque. We can put anything we want in them.
Is there a reason why AccessToken extends IDToken, or can we remove
that?
Please don't remove it. AccessToken extends IDTOken so that we can
propagate stuff with bearer token auth. Refresh token needs much of the
same information as JWT, expiration, subject, roles granted, claims
granted so it can make decisions on whether to refresh the token or not.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com