Keycloak Access Token vs UserInfo token?

Question

How does the access token differ from user info token when using Keycloak?

From OAuth2/OpenIDConnect I have understood that the access token gives information that the user has been authenticated and that you need to use the user info token to get more infomation about the user and its profile/roles etc.

When I look at the access token in something like https://jwt.io/ vs. the UserInfo token. I am able to get the same information about the users profile & roles.

Why is it like this, and how does the access token differ from user info token when using Keycloak?

Can you put some reference about the user info token? I haven't seen anything about it in the specs. — Xtreme Biker
These endpoints are based on the OpenID Connect standard (not a Keycloak specific thing). - Token Endpoint (openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint) "To obtain an Access Token, an ID Token" - UserInfo Endpoint (openid.net/specs/openid-connect-core-1_0.html#UserInfo) "The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User." — Melissa

Xtreme Biker Xtreme Biker · Accepted Answer · 2018-02-27T07:58:00

The access token is meant to provide you access to the resources of your application. In order to get an access token, you have to authenticate yourself with any of the flows defined by the spec. In keycloak, access token contains the username and roles, but you can also add custom claims using the admin panel. Adding some claims may be useful because the token is sent in every single request and you can decode it from your application.

There's no user info token at all, actually it is an endpoint. This endpoint is accessed using the access token that you get in the first step and usually provides a JSON response with detailed information about the user (such as user data, roles...).

Keycloak Access Token vs UserInfo token?

2 Answers