[keycloak-user] Guidelines for user attribute protocol mappers - when to add to IDToken vs. to AccessToken?

Thomas Darimont thomas.darimont at googlemail.com
Fri Mar 18 05:54:33 EDT 2016

Hello group,

Keycloak allows specifying custom "protocol mappers" for a

particular client or for multiple clients via client templates.

With these "protocol mappers", one can add custom information to the

JWT token, e.g. based on a user attribute, user property etc.

One has the option to add the attribute to the IDToken and / or to the

What would be a good guideline for developers to follow when choosing which
one (or both) to use?

Is it correct to say that the IDToken is just provided "once" after login,

whereas the AccessToken may be periodically renewed and is thus more

(in the sense that user attribute changes are propagated "sooner")?

When would it make sense to add information to the IDToken AND the


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/b13aff56/attachment.html 

More information about the keycloak-user mailing list