Re: [keycloak-user] keycloak and open id connect

OpenID Connect is a specification for a auth protocol framework. Keycloak is an SSO solution that is implemented on top of a auth protocol framework. That being said... OpenID Connect is an OAuth 2.0 extension. We are currently in the process of providing minimal required support for OpenID Connect which will allow us to claim we are an OpenID Connect provider. This was actually very easy to do as Keycloak was already an OAuth 2.0 extension and were already using JWT, JWE, and JWS! We will implement additional optional pieces of OpenID Connect that seem like a good fit for Keycloak as time goes on too. OpenID Connect nor OAuth 2.0 define an Access Token format, so, we have our own based on JWT. We added additional claims that specify role mappings. Other extensions we have are an client REST API so that the Keycloak server can do a remote logout, gather session stats, or push a revocation policy. We might also piggyback additional information like revocation policies with AccessTokenResponses. All legal and allowed in the OpenID Connect specification. On 2/27/2014 10:42 PM, J Coder wrote: -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com