[keycloak-dev] ID Token claims in Access Token and Refresh Token
Bill Burke
bburke at redhat.com
Wed Dec 3 09:10:08 EST 2014
On 12/3/2014 2:55 AM, Stian Thorgersen wrote:
> As AccessToken and RefreshToken extends IDToken they contain the ID Token claims. If I've read the spec correctly those claims should only be in the ID Token. There should also be a separate UserInfo endpoint which we're missing.
>
access and refresh tokens are opaque. We can put anything we want in them.
> Is there a reason why AccessToken extends IDToken, or can we remove that?
Please don't remove it. AccessToken extends IDTOken so that we can
propagate stuff with bearer token auth. Refresh token needs much of the
same information as JWT, expiration, subject, roles granted, claims
granted so it can make decisions on whether to refresh the token or not.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list