[keycloak-dev] Smaller RefreshTokens?
Marek Posolda
mposolda at redhat.com
Mon Apr 8 04:33:48 EDT 2019
Hi Thomas,
yes roles can be removed from the refresh tokens and maybe JIRA already
exists for this, but not 100% sure...
Client scopes can't actually be removed as you can have more refresh
tokens corresponding to same client in same user session and we want the
information about used client scopes to be tracked in the refresh token
itself (tracking that on server-side in the session has some other
disadvantages for various reasons...). I think this is not so big issue
as scopes in the tokens is not so huge as the roles?
Marek
On 06/04/2019 13:09, Thomas Darimont wrote:
> Hello,
>
> the refresh tokens which are currently issued by Keycloak contain standard
> JWT claims and references to the Keycloak session. Additionally they also
> contain realm roles and client role information together with the used
> scope.
>
> I'm wondering whether roles and scope information is required for refresh
> tokens or could even be removed?
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list