[keycloak-dev] ID Token claims in Access Token and Refresh Token
Marek Posolda
mposolda at redhat.com
Wed Dec 3 08:39:14 EST 2014
The one reason I can think of is bearer authentication. Currently we are
doing it with accessToken and if we remove claims from accessToken, then
bearer app won't be able to easily retrieve informations about user
without sending another request to UserInfo endpoint. I agree that
having userInfo in all tokens doesn't makes much sense, but not sure how
to improve it. Some options:
1) Remove IDToken (but I guess we need it for OpenID connect support,
right?)
2) Send both accessToken+idToken to bearer auth (but there is more
network bandwith then)
3) Allow bearer apps to retrieve data from UserInfo, but that's another
request to KC needed then
4) Keep as it is.
For UserInfo we have endpoint on AccountManagement, which is used for
example by keycloak.js (Keycloak.loadUserProfile). Or do you mean
something different?
Marek
On 3.12.2014 08:55, Stian Thorgersen wrote:
> As AccessToken and RefreshToken extends IDToken they contain the ID Token claims. If I've read the spec correctly those claims should only be in the ID Token. There should also be a separate UserInfo endpoint which we're missing.
>
> Is there a reason why AccessToken extends IDToken, or can we remove that?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list