Adding Claims in Refresh Token is not supported in Keycloak ? #14840
pranavsurwade
started this conversation in
New Admin Console
Replies: 1 comment 2 replies
-
A refresh token should be bound to the user for which it was issued. And it is not intended to provide any claims which evaluated by a resource server (API).
How could you use a refresh token to get an access token for a different user? |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
As we know that Keycloak doesn't provide any way to add claims for refresh token, we can only add claims in access token, which results in lack of security issue as using refresh token of another user, one can get access to all API. I better approach to solve it is to add claims in refresh token and enhance security.
Beta Was this translation helpful? Give feedback.
All reactions