...
This access token does not contain any information about the user except the ID (sub / subject).
Claims in access token
Certain claims can be limited by size in the access token, to avoid HTTP header oversize in some situations. Each claim type can be limited by setting the size limit in KB setting in the claim configuration user interface. Any value above 0 will limit the size.
If the size is reached on a claim type, the claim type claim_type_limit_reached is automatically added to the token. The claim contains a string or list of claim types that reached the limit. The claim type is still added but only filled with elements up to the limitation. It’s advised to load the data over the user info endpoint in this case. This behavior can help mitigate edge case, such as a user with several hundreds of delegations and an infrastructure that limits the HTTP header to 4 KB.
Identity Token
Whenever an application requires any information about the user that was authenticated, it should use the OpenID Connect Protocol to get an ID token. This ID token contains the requested information about a user such as the first or last name.
...
For example, you might configure a refresh token to have an absolute expiration time of 30 days. Regardless of how often the user uses the token within those 30 days, it will expire at the end of that period.
...
Sliding expiration extends the expiration period of a token when newly issued (by the amount specified in the client configuration). This setting is useful for user experience, as active users do not need to re-authenticate or refresh their tokens as frequently.
For instance, if a sliding expiration is set for 5 days, and the user interacts with the application within those 5 days, the expiration time is reset to another 5 days from the last access, not exceeding a maximum limit if one is set (like 90 days).
...
| Note |
|---|
Important: You can combine the absolute expiration period with the sliding expiration period. Note that the absolute expiration serves as a hard limit of the tokens total lifetime. That means, that the sliding mechanism can extend the tokens duration, as long as it doesn’t exceed the absolute expiration period. |
...
| Note |
|---|
Important: The clients needs to be explicitly authorized to request refresh tokens by setting |
...
To use the reference token method set always_include_user_claims_in_id_token to 1 or in Admin UI check the "Benutzerclaims in ID Token immer inkludieren" option in the client config , go into Admin UI; in the option “Access token type“, select the Reference option on the token tab.
In order to get the user claims, a call to the userinfo endpoint ({{idp_url}}/connect/userinfo) with a valid access token is needed.
...