Versions Compared

Version Old Version 5 New Version 6
Changes made by

Rehan Agarwal

Andreas Marinello

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Self-Contained vs Reference Token

A selfSelf-contained tokens are tokens that contain the claims inside a protected structure such as an JSON Web Token. The recipient of the token has all the information needed inside the token.

On the other hand, a reference token, or sometimes called opaque token, does not contain any information except the reference. This reference, an infeasible-to-guess id, can be used to access the token service in exchange for the required information by using a back-channel communication. Even tough though this requires additional calls to the token service, it offers greater security as the token service can immediately revoke tokens as the resource has to go through the resource service each time it needs to validate access.

To use the reference token method set always_include_user_claims_in_id_token to 1 or in Admin UI check the "Benutzerclaims in ID Token immer inkludieren" option in the client config on the token tab.
In order to get the user claims, a call to the userinfo endpoint ({{idp_url}}/connect/userinfo) with a valid access token is needed.