Replies: 6 comments 5 replies
-
|
Do you know what the state of it is beyond "proposed standard"? |
Beta Was this translation helpful? Give feedback.
-
|
If this specification gets real traction and not push-back I'm all for following this RFC, but would like to make sure it is on the road to becoming an official standard. Wondering also a bit on how we could do it, and how much it conflicts with existing claims we have. A basic approach could just be to have a client-scope for it, which is for example what we did for the Microprofile JWT standard. |
Beta Was this translation helpful? Give feedback.
-
|
@stianst I see, IMO, we need not to follow this specification in a hurry. If it is needed in the future, we would resume this discussion. |
Beta Was this translation helpful? Give feedback.
-
|
Just stumbled on this discussion as we are currently looking for a standardized way to interpret access tokens and RFC 9068 seems to be the only standard documenting a layout, some attributes and verification steps so far. So maybe we could get the adoption going again? |
Beta Was this translation helpful? Give feedback.
-
|
Hi @stianst, is this now officially supported in v25? I saw a change merged that addresses access token type but didn't notice RFC mentioned in release notes. |
Beta Was this translation helpful? Give feedback.
-
|
According to rfc9068#section-2.1:
It then says:
Therefore, it is not just a recommendation, but a requirement that the There is already a switch in DefaultTokenManager.java#L239 on the token category to set a specific type for logout tokens. Could we extend this with a case for the I realize that this is a breaking change, but without such a change, Keycloak is not compatible with OAuth2 resource servers that verify the |
Beta Was this translation helpful? Give feedback.
-
RFC for self-contained JWT access token has been published.
RFC 9068 JSON Web Token (JWT) Profile for OAuth 2.0 Access Token
The current keycloak's access token (and refresh token) is self-contained JWT access token.
It might be good for keycloak's access token to follow this RFC. WDYT?
Beta Was this translation helpful? Give feedback.
All reactions