Why is 'id' called 'sub' in keycloak?

Asked 17/5, 2018 at 17:21 Answered 21/10, 2022 at 8:56

Im looking at the new Keycloak Beta 4 API. When i get the users account information, what is referred to as 'id' in the web ui comes back as 'sub' in the account object.

{ sub: '25a37fd0-d10e-40ca-af6c-821f20e01be8',
  name: 'Barrack Obama',
  preferred_username: '[email protected]',
  given_name: 'Barrack',
  family_name: 'Obama',
  email: '[email protected]' }

What is 'sub' and is this a safe uuid to map database objects to?

Postmark answered 17/5, 2018 at 17:21 Comment(0)

As per the keycloak documentation

Anatomy of Action Token

Action token is a standard Json Web Token signed with active realm key where the payload contains several fields:

typ - Identification of the action (e.g. verify-email)

iat and exp - Times of token validity

sub - ID of the user

azp - Client name

iss - Issuer - URL of the issuing realm

aud - Audience - list containing URL of the issuing realm

asid - ID of the authentication session (optional)

nonce - Random nonce to guarantee uniqueness of use if the operation can only be executed once (optional)

Please refer the following link https://www.keycloak.org/docs/latest/server_development/index.html#_action_token_anatomy

Reason may be they want to retain the uniqueness in the name.

Chevy answered 18/5, 2018 at 3:33 Comment(0)

In addition to the previous answer, inside JWT tokens, sub refers to subject. The reason is that those tokens can be used in various cases, including authorization. That means that id sometimes might not be "the unique identifier" but might be anything, including repeatable destinations. Basically, a naming convention JWT follows, regardless of Keycloak.

Brownley answered 21/10, 2022 at 8:56 Comment(0)

Recommended topics

Hot tags