I see. I didn't know that the access token was another JWS token like the
ID Token:
https://github.com/keycloak/keycloak/blob/29c0fe564ce01c5cbfb1ca42e15bc7e...
I didn't see in the OpenID Connect standard that the access token carried
information, unlike the ID Token. That explains the so long access tokens
from Keycloak... Carrying info is optional in the standard:
https://tools.ietf.org/html/rfc6749#section-1.4 It should be explained in
the Keycloak docs (unless I missed it).
Thanks, Bill.
On Thu, May 4, 2017 at 5:17 PM Bill Burke <bburke(a)redhat.com> wrote:
Non servlet apps should have access to the token too. client
session
and user session ids are in the token.
On 5/4/17 6:44 AM, Tomás García wrote:
> I'm looking at this doc:
>
https://keycloak.gitbooks.io/documentation/server_development/topics/iden...
>
> And unless your app lives inside a Java servlet guarded by Keycloak,
> there's no way to use this feature, right? Due to the hash generation. I
> don't see a way to get a client / user session Id since they're internal
> stuff in Keycloak associated thanks to the cookie in the user's browser.
I
> get why it's needed though and I don't see any good alternative right now
> for non-servlet apps (OpenID Connect enabled apps made in other languages
> for instance)... but it's unfortunate that the doc doesn't clarify it.
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user