2

  1. I have set up keycloak following this guide: https://hub.docker.com/r/jboss/keycloak/ using MySQL as a database. I figured that with attributes additional data can be stored in keycloak and with mappers it is possible to associate the data with clients. My question is, if it is ok (good practice) to store user data, that I want to access later, in keycloak this way? And where the data should be attached to. Since one can attach the attributes to the access token, the id token or the user info. All of which is optional and raises some more questions, which brings me to my second question.

  2. Attributes can change/be added when access tokens were already issued to the user. Meaning, the client won't have immediate access to those attributes via the tokens in use, since the user might still have an older token, where the newly attribute was not attached to. My question is: How does one deal with this? Am I doing something fundamentaly wrong?

I found a related topic: How can I get other users info(username, firstname) by id? [Keycloak]. But this suggests that the client is an admin user or has additional privileges (is a service account).

Yggdrasill
  • 166
  • 1
  • 3
  • 16

1 Answers1

2

Question 1: It is absolutely okay to put additional data into user attributes. That's the purpose of these attributes. With claim mappers you are completely free to define which attributes go into which tokens. In combination with client scopes it is easy to re-use same claim mappings with multiple clients.

Question 2: Usually you're using an access token along with a refresh token and the access token has a short limited life-span (e.g. 1-5 minutes). Wen an access token expires, the refresh token will be used to retrieve a new access token. In Keycloak the creation of such a new access token applies all claim mappers again and therefore any changes in user attributes will be reflected in the new access token. So eventually, the configured expiration time of your access tokens determines the maximum time to wait until changed attributes are becoming visible to the application through the access token.

Boomer
  • 3,360
  • 20
  • 28
  • 1
    I feel like my problems and questions arise from the fact that I don't quite understand how to update the user data or rather if to do so at all. I mean, how does the user update his data? What is the purpose of the Update endpoint in the API anyway? What are the user attributes intended for, if the client can't rely on them. – Yggdrasill Aug 13 '21 at 08:44
  • hey @Yggdrasill, I need to save user info in keycloak database after redirection.... after redirection i am receiving a response which contains user info and other info. i want to save user info in keycloak db in mycustom-SPI. did you find any way to do it ? – Muhammad Haseeb Jan 19 '23 at 11:59
  • Hi @MuhammadHaseeb I stopped working with keycloak at some point, because it was creating too much overhead. Sorry to say, that I can't help you with your questions – Yggdrasill Feb 11 '23 at 14:19