Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13933 Client Policies
  3. KEYCLOAK-18127

Option for skip return user's claims in the ID Token for hybrid flow

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 14.0.0
    • Component/s: None
    • Labels:
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      FAPI mentions the concept of "ID Token used as detached signature" . The main purpose of ID Token is to be used as detached signature and not as the source of user's claims.

      It will be nice if we have an option to skip returning user's claims in the ID Token and makes sure that it can be used as "detached signature" . This way, the ID Token will still have claims like c_hash, s_hash, at_hash and nonce, but it won't have user's claims. In other words, the protocolMappers won't be called during generation of ID Token and Access Token, which is returned from Authorization response.

      More details in the discussion on keycloak-dev: https://groups.google.com/g/keycloak-dev/c/EXZQTEusJEI

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              mposolda@redhat.com Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: