[keycloak-user] Guidelines for user attribute protocol mappers - when to add to IDToken vs. to AccessToken?
thomas.darimont at googlemail.com
Fri Mar 18 05:54:33 EDT 2016
Keycloak allows specifying custom "protocol mappers" for a
particular client or for multiple clients via client templates.
With these "protocol mappers", one can add custom information to the
JWT token, e.g. based on a user attribute, user property etc.
One has the option to add the attribute to the IDToken and / or to the
What would be a good guideline for developers to follow when choosing which
one (or both) to use?
Is it correct to say that the IDToken is just provided "once" after login,
whereas the AccessToken may be periodically renewed and is thus more
(in the sense that user attribute changes are propagated "sooner")?
When would it make sense to add information to the IDToken AND the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the keycloak-user