[keycloak-user] Is that possible to custom token claims? Especially, I don't want "sub" in the token claims.
hugh shangguan
hcsgzh at gmail.com
Wed Jul 11 00:03:41 EDT 2018
Hi there,
I am learning Keycloak system. I wonder if I can change the token claims.
In the endpoint,
http://localhost:8080/auth/realms/demo/.well-known/openid-configuration
I can see there is a claims_supported. Can I set it without "sub"?
"claims_supported": [
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email"
],
"claim_types_supported": [
"normal"
],
when I login keycloak, I can receive a token, the claims in the token like
this.
{
"jti": "ea8ea454-6af2-4343-a51f-14092d7566bb",
"exp": 1531316875,
"nbf": 0,
"iat": 1531280875,
"iss": "http://localhost:8080/auth/realms/demo",
"sub": "a9ce424d-019b-4222-859d-eba851c875ff",
"auth_time": 0,
"session_state": "20dc46d8-029b-4b27-af37-e4b896789e96",
"resource_access": {},
"state_checker": "GYcbcAp8yFc0YCmBdKN9jJ1lqXT_oMp9Hoa1WW93uxw"
}
Can I change some config to set the "sub" off? Is that save that browser
can get the user information?
My understanding of keycloak working is steps below. please point out if I
my wrong.
1. client (browser) go to Application server to ask a protected url. and it
will redirect to Keycloak login page.
2. After user finish their login in browser, user will get a code from
keycloak.(seems it ractually is a token).
3. Then browser will send the code to Application server.
4. Application server will ask Keycloak server that if the code is valid
and get a access token. Then Application server decides to allow or not
allow the user .
But I see my browser just get the access token with user information. I
wonder is that secure?
Thanks
--
Hugh
Zhaohui Shangguan
More information about the keycloak-user
mailing list