Hello group,

Keycloak allows specifying custom "protocol mappers" for a

particular client or for multiple clients via client templates.

With these "protocol mappers", one can add custom information to the

JWT token, e.g. based on a user attribute, user property etc.

One has the option to add the attribute to the IDToken and / or to the AccessToken.

What would be a good guideline for developers to follow when choosing which one (or both) to use?

Is it correct to say that the IDToken is just provided "once" after login,

whereas the AccessToken may be periodically renewed and is thus more dynamic

(in the sense that user attribute changes are propagated "sooner")?

When would it make sense to add information to the IDToken AND the AccessToken?

Cheers,

Thomas