yes roles can be removed from the refresh tokens and maybe JIRA already
exists for this, but not 100% sure...
Client scopes can't actually be removed as you can have more refresh
tokens corresponding to same client in same user session and we want the
information about used client scopes to be tracked in the refresh token
itself (tracking that on server-side in the session has some other
disadvantages for various reasons...). I think this is not so big issue
as scopes in the tokens is not so huge as the roles?
On 06/04/2019 13:09, Thomas Darimont wrote:
the refresh tokens which are currently issued by Keycloak contain standard
JWT claims and references to the Keycloak session. Additionally they also
contain realm roles and client role information together with the used
I'm wondering whether roles and scope information is required for refresh
tokens or could even be removed?
keycloak-dev mailing list