Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-3360

Make inclusion of IDToken in refresh AccessToken requests configurable

    XMLWordPrintable

    Details

    • Type: Feature Request
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Currently Keycloak generates 3 Tokens when refreshing an Access Token:

      • new Refresh Token
      • new Access Token
      • new ID Token

      Since the token generation is computationally expensive it would be helpful if one could disable the generation of the ID Token which is according to the OpenID Specs not necessary for the refresh Access Token response.

      See: http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.12.2

      Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3* except that it might not contain an id_token.*

      Emphasis added by me.

      Here is the discussion on the mailing list:
      http://lists.jboss.org/pipermail/keycloak-user/2016-May/006304.html

      I'd propose to add a realm wide switch to the "Tokens" Configuration tab in the Realm-Settings of the Admin-Console which would then accessible via the RealmModel interface.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            tdarimont Thomas Darimont
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: