[keycloak-dev] User ids and usernames

Bill Burke bburke at redhat.com
Thu Feb 6 20:37:25 EST 2014



On 2/6/2014 11:05 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 6 February, 2014 3:59:24 PM
>> Subject: Re: [keycloak-dev] User ids and usernames
>>
>>
>>
>> On 2/6/2014 10:47 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Thursday, 6 February, 2014 3:41:34 PM
>>>> Subject: Re: [keycloak-dev] User ids and usernames
>>>>
>>>> Maybe just return additional information in the json response from
>>>> obtaining an access token.  The access token would just contain a link
>>>> to user profile information.  This reduces token size and yet allows
>>>> pure REST Bearer Token services to get profile information if they
>>>> desire it.
>>>
>>> I agree some mechanism to retrieve the token + profile in the same request
>>> would be nice, but IMO that's an performance optimization that can be done
>>> later. Google for example only return the ID, and you need to go an
>>> retrieve the profile if you want. I believe this is the way OpenID Connect
>>> does it as well, as I'm using Google's OpenID connect endpoints to
>>> retrieve the profile.
>>>
>>
>> Yeah, but wanting to know username, first, last, and/or email is just so
>> common it should be optimzied.
>
> Have you read OpenID Connect spec yet? Is there anything like that in there?
>

I think there might be.  I'll have to research a bit.  I"ll make OpenID 
connect a priority after we do Alpha 2 release (which should be soon right?)

> Could add a query param or a different endpoint that returns profile with token, or something like that. If it's embedded in token, token is bigger. There's also the case when we introduce refresh tokens you'll not want to return the profile then I suppose.
>
> Can we introduce these changes now? Then add a JIRA for adding some mechanism to retrieve token + profile in one request soon?

Sure, do it.  You're right.  I was just being devil's advocate to make 
sure we're not making a decision we'll regret.  We'll do the profile 
stuff later I guess.  We don't need it right now.  And there might be an 
openid solution.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list