CODEWITHSUNDEEP
keycloakkeycloak-services
Jack Murphy
Jack Murphy

Reputation: 3020

Why is 'id' called 'sub' in keycloak?

Im looking at the new Keycloak Beta 4 API. When i get the users account information, what is referred to as 'id' in the web ui comes back as 'sub' in the account object.

{ sub: '25a37fd0-d10e-40ca-af6c-821f20e01be8',
  name: 'Barrack Obama',
  preferred_username: '[email protected]',
  given_name: 'Barrack',
  family_name: 'Obama',
  email: '[email protected]' }

What is 'sub' and is this a safe uuid to map database objects to?

Upvotes: 16

Views: 9970

Answers (2)

Andrey Popov
Andrey Popov

Reputation: 7510

In addition to the previous answer, inside JWT tokens, sub refers to subject. The reason is that those tokens can be used in various cases, including authorization. That means that id sometimes might not be "the unique identifier" but might be anything, including repeatable destinations. Basically, a naming convention JWT follows, regardless of Keycloak.

Upvotes: 4

Subodh Joshi
Subodh Joshi

Reputation: 13492

As per the keycloak documentation

Anatomy of Action Token

Action token is a standard Json Web Token signed with active realm key where the payload contains several fields:

typ - Identification of the action (e.g. verify-email)

iat and exp - Times of token validity

sub - ID of the user

azp - Client name

iss - Issuer - URL of the issuing realm

aud - Audience - list containing URL of the issuing realm

asid - ID of the authentication session (optional)

nonce - Random nonce to guarantee uniqueness of use if the operation can only be executed once (optional)

Please refer the following link https://www.keycloak.org/docs/latest/server_development/index.html#_action_token_anatomy

Reason may be they want to retain the uniqueness in the name.

Upvotes: 12

Related Questions