Reputation: 196
Where to store user data in keycloak? And how to read it?
I set up Keycloak following this guide: https://hub.docker.com/r/jboss/keycloak/. I used MySQL as the database. I figured that with attributes additional data can be stored in Keycloak and with mappers it is possible to associate it with clients. My question is: is it good practice to store user data this way? And. Where should the data be attached to? Since one can attach the attributes to the access token, id token or user info. All of which is optional and raises some more questions, which brings me to my second question.
Attributes can change/be added when access tokens were already issued to the user. Meaning, the client won't have immediate access to those attributes via the tokens in use, since the user might still have an older token, where the newly attribute was not attached to. My question is: How does one deal with this? Am I doing something fundamentaly wrong?
I found a related topic: How can I get other users info(username, firstname) by id? [Keycloak]. But this suggests that the client is an admin user or has additional privileges (is a service account).
Upvotes: 4
Views: 7486
Answers (1)
Reputation: 3721
Question 1: It is absolutely okay to put additional data into user attributes. That's the purpose of these attributes. With claim mappers you are completely free to define which attributes go into which tokens. In combination with client scopes it is easy to re-use same claim mappings with multiple clients.
Question 2: Usually you're using an access token and a refresh token. The access token has a short limited life-span (e.g. 1-5 minutes). When an access token expires, the refresh token will be used to retrieve a new access token. In Keycloak the creation of such a new access token applies all claim mappers again and therefore any changes in user attributes will be reflected in the new access token. So eventually, the configured expiration time of your access tokens determines the maximum time to wait until changed attributes are becoming visible to the application through the access token.
Upvotes: 3
Related Questions
- How to set user attribute value in Keycloak using API?
- how to get the list of users from keycloak by using httppost/rest-api
- How to store external data in keycloak user model after registration
- Keycloak get user password
- Keycloak user session persistence
- Keycloak return service in user api
- Keycloak user management
- customize user session data in keycloak
- REST API details to fetch Keycloak user data
- Keycloak: user getting its info (id, groups, etc...)