Keycloak Access Token vs UserInfo token?

Question

How does the access token differ from user info token when using Keycloak?

From OAuth2/OpenIDConnect I have understood that the access token gives information that the user has been authenticated and that you need to use the user info token to get more infomation about the user and its profile/roles etc.

When I look at the access token in something like https://jwt.io/ vs. the UserInfo token. I am able to get the same information about the users profile & roles.

Why is it like this, and how does the access token differ from user info token when using Keycloak?

Answer 1

The access token is meant to provide you access to the resources of your application. In order to get an access token, you have to authenticate yourself with any of the flows defined by the spec. In keycloak, access token contains the username and roles, but you can also add custom claims using the admin panel. Adding some claims may be useful because the token is sent in every single request and you can decode it from your application.

There's no user info token at all, actually it is an endpoint. This endpoint is accessed using the access token that you get in the first step and usually provides a JSON response with detailed information about the user (such as user data, roles...).

Answer 2

I managed to figure out how to get different data whilst using Keyclok for these two endpoints:

Keycloak provides functionality for "OIDC Token and SAML Assertion Mappings" and you can also "control where the claim gets put." by using the buttons : - Add to ID token - Add to access token - Add to userinfo By setting "Add to ID token" and "Add to access token" to OFF for some of the mappers. These will not be included on the AccessToken where as they will be in the UserInfo response.

http://www.keycloak.org/docs/latest/server_admin/index.html#_protocol-mappers