[keycloak-user] access_token always contains JWT

Bill Burke bburke at redhat.com
Mon Feb 8 12:22:25 EST 2016


Yes.  We want that.  Just too busy :)

On 2/8/2016 12:16 PM, Scott Rossillo wrote:
> Opaque access tokens are an interesting idea for security reasons. 
> I’ve heard them referred to as "by reference" access tokens because 
> the actual JWT access token has to be stored somewhere. The OpenID 
> spec doesn’t address this but it’s a solid idea for access tokens 
> exposed to external applications, which do not need to be concerned 
> with, or possibly shouldn’t be privy to the information inside the token.
>
> There’s another option that may be more manageable. That is to offer a 
> per client option of encrypting the access token, known as JWE, or 
> JSON Web Encryption[0]. The basic idea is that the signed token is 
> then encrypted with a symmetrical key. This key would probably be a 
> realm level key. Another benefit or JWE is the access token payload is 
> compressed, making the access token shorter.
>
> Is this something we would be interested in adding support for?
>
> [0]: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>> On Feb 5, 2016, at 9:17 AM, manfred.duchrow at caprica.biz 
>> <mailto:manfred.duchrow at caprica.biz> wrote:
>>
>> Yes, that's true (even for some open source software too).
>> So am I supposed to put this JWT access token into the Authorization 
>> request header as Bearer value to authorize a request?
>> The access token I got from Keycloak is over 5000 characters long!
>>
>>
>> On 05.02.2016 13:47, Raghuram Prabhala wrote:
>>> Access token is implementation specific. Some commercial software 
>>> have the concept of "reference tokens" which are nothing but random 
>>> strings indicated below. The clients have to query back the 
>>> Authorization server to get a validated JWT token
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Stian Thorgersen <sthorger at redhat.com>
>>> *To:* manfred.duchrow at caprica.biz
>>> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
>>> *Sent:* Friday, February 5, 2016 7:10 AM
>>> *Subject:* Re: [keycloak-user] access_token always contains JWT
>>>
>>> There's no such thing as a "simple token". Tokens are always a 
>>> signed JWT.
>>>
>>> On 5 February 2016 at 11:17, <manfred.duchrow at caprica.biz> wrote:
>>>
>>>     Hi,
>>>
>>>     I am trying to retrieve an access token from a Keycloak (1.8.0.Final)
>>>     service account by
>>>     POST /auth/realms/myrealm/protocol/openid-connect/token
>>>     with grant_type=client_credentials.
>>>
>>>     The result contains a signed JWT as value of field "access_token" rather
>>>     than a simple token
>>>     as described in chapter 18 (Service Accounts) of the user guide.
>>>
>>>     So what I expect (need) is a response like this:
>>>
>>>     {
>>>          "access_token":"2YotnFZFEjr1zCsicMWpAA",
>>>          "token_type":"bearer",
>>>          "expires_in":60,
>>>          "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
>>>          "refresh_expires_in":600,
>>>          "id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
>>>          "not-before-policy":0,
>>>          "session-state":"234234-234234-234234"
>>>     }
>>>
>>>     Is there a way to configure the account or the realm to return a simple
>>>     token
>>>     in "access_token" (and "refresh_token") rather than a JWT?
>>>
>>>     Cheers,
>>>        Manfred
>>>
>>>
>>>
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>> -- 
>> ========================================
>> Caprica Ltd.
>> 69 Great Hampton Street
>> Birmingham, West Midlands, B186EW,
>> Registered in England and Wales
>> Company No. 5298548
>> Managing Director: Manfred Duchrow
>>
>> Zweigniederlassung Deutschland
>> Gartenstr. 48, 89150 Laichingen
>> Amtsgericht Ulm: HRB 5073
>> Geschäftsführer: Manfred Duchrow
>> ----------------------------------------
>> Tel:    +49 (0)7333 9232190
>> Fax:    +49 (0)7333 9232191
>> E-Mail:manfred.duchrow at caprica.de
>> ========================================
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160208/970431fe/attachment-0001.html 


More information about the keycloak-user mailing list