[keycloak-dev] User ids and usernames

Bill Burke bburke at redhat.com
Thu Feb 6 10:59:24 EST 2014

On 2/6/2014 10:47 AM, Stian Thorgersen wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 6 February, 2014 3:41:34 PM
>> Subject: Re: [keycloak-dev] User ids and usernames
>> Maybe just return additional information in the json response from
>> obtaining an access token.  The access token would just contain a link
>> to user profile information.  This reduces token size and yet allows
>> pure REST Bearer Token services to get profile information if they
>> desire it.
> I agree some mechanism to retrieve the token + profile in the same request would be nice, but IMO that's an performance optimization that can be done later. Google for example only return the ID, and you need to go an retrieve the profile if you want. I believe this is the way OpenID Connect does it as well, as I'm using Google's OpenID connect endpoints to retrieve the profile.

Yeah, but wanting to know username, first, last, and/or email is just so 
common it should be optimzied.

> There's also the case where you don't want to give an app access to your full profile. Currently the token would have to have account/view-profile role to be able to retrieve the profile.

Keycloak knows the client's permissions.  So that is not an issue.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list