[keycloak-dev] Smaller RefreshTokens?

Marek Posolda mposolda at redhat.com
Mon Apr 8 04:33:48 EDT 2019


Hi Thomas,

yes roles can be removed from the refresh tokens and maybe JIRA already 
exists for this, but not 100% sure...

Client scopes can't actually be removed as you can have more refresh 
tokens corresponding to same client in same user session and we want the 
information about used client scopes to be tracked in the refresh token 
itself (tracking that on server-side in the session has some other 
disadvantages for various reasons...). I think this is not so big issue 
as scopes in the tokens is not so huge as the roles?

Marek

On 06/04/2019 13:09, Thomas Darimont wrote:
> Hello,
>
> the refresh tokens which are currently issued by Keycloak contain standard
> JWT claims and references to the Keycloak session. Additionally they also
> contain realm roles and client role information together with the used
> scope.
>
> I'm wondering whether roles and scope information is required for refresh
> tokens or could even be removed?
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev




More information about the keycloak-dev mailing list