Keycloak Access Token vs UserInfo token?
Solution 1
I managed to figure out how to get different data whilst using Keyclok for these two endpoints:
Keycloak provides functionality for "OIDC Token and SAML Assertion Mappings" and you can also "control where the claim gets put." by using the buttons : - Add to ID token - Add to access token - Add to userinfo By setting "Add to ID token" and "Add to access token" to OFF for some of the mappers. These will not be included on the AccessToken where as they will be in the UserInfo response.
http://www.keycloak.org/docs/latest/server_admin/index.html#_protocol-mappers
Solution 2
The access token is meant to provide you access to the resources of your application. In order to get an access token, you have to authenticate yourself with any of the flows defined by the spec. In keycloak, access token contains the username and roles, but you can also add custom claims using the admin panel. Adding some claims may be useful because the token is sent in every single request and you can decode it from your application.
There's no user info token at all, actually it is an endpoint. This endpoint is accessed using the access token that you get in the first step and usually provides a JSON response with detailed information about the user (such as user data, roles...).
Related videos on Youtube
25 : 31
08 : 38
07 : 08
11 : 24
09 : 07
03 : 49
11 : 03
Melissa
Updated on June 04, 2022Comments
-
Melissa almost 2 years
How does the access token differ from user info token when using Keycloak?
From OAuth2/OpenIDConnect I have understood that the access token gives information that the user has been authenticated and that you need to use the user info token to get more infomation about the user and its profile/roles etc.
When I look at the access token in something like https://jwt.io/ vs. the UserInfo token. I am able to get the same information about the users profile & roles.
Why is it like this, and how does the access token differ from user info token when using Keycloak?
-
Melissa about 6 yearsThanks @Xtreme, agree. However with Keycloak I get same info. on both. In Access Token I get the following about the user: <code> { .. "group_membership": [ "/group1" ], "user_attribute": [ "userattribute" ], "preferred_username": "USERNAME", "email": "[email protected]" } </code> and response from UserInfo endpoint is <code> { "group_membership": [ "/group1" ], "user_attribute": [ "userattribute" ], "preferred_username": "USERNAME", "email": "[email protected]" } </code>
-
Aritz about 6 yearsIt depends on the implementation (in this case, KC) and how it is configured. The spec doesn't tell it can't be the same info. But clearly, as I stated above, they serve different purposes.