Creating documentation for Lightweight access token(#25743)

Closes keycloak#23725 Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
2023-12-21 10:47:33 +09:00 · 2023-12-21 10:47:33 +09:00 · 8b65e6727b
commit 8b65e6727b
parent 67e73d3d4e
4 changed files with 14 additions and 0 deletions
--- a/docs/documentation/server_admin/images/add-mapper.png
+++ b/docs/documentation/server_admin/images/add-mapper.png
--- a/docs/documentation/server_admin/images/mapper-config.png
+++ b/docs/documentation/server_admin/images/mapper-config.png
--- a/docs/documentation/server_admin/topics/clients/client-policies.adoc
+++ b/docs/documentation/server_admin/topics/clients/client-policies.adoc
@ -128,6 +128,7 @@ One of several purposes for this executor is to realize the security requirement
 * Enforce prohibiting implicit and hybrid flow
 * Enforce checking if a PAR request includes necessary parameters included by an authorization request
 * Enforce <<_dpop-bound-tokens,DPoP-binding tokens>> is used (available when `dpop` feature is enabled)
+* Enforce <<_using_lightweight_access_token, using lightweight access token>>

 [[_client_policy_profile]]
 === Profile
--- a/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc
+++ b/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc
@ -66,3 +66,16 @@ Service account sessions provide the following details:
 Use the *Script Mapper* to map claims to tokens by running user-defined JavaScript code. For more details about deploying scripts to the server, see link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}].

 When scripts deploy, you should be able to select the deployed scripts from the list of available mappers.
+
+[[_using_lightweight_access_token]]
+== Using lightweight access token
+The access token in {project_name} contains sensitive information, including Personal Identifiable Information (PII).
+Therefore, if the resource server does not want to disclose this type of information to third party entities such as clients, {project_name} supports lightweight access tokens that remove PII from access tokens.
+Further, when the resource server acquires the PII removed from the access token, it can acquire the PII by sending the access token to {project_name}'s token introspection endpoint.
+
+Information that cannot be removed from a lightweight access token::
+  Protocol mappers can controls which information is put onto an access token and the lightweight access token use the protocol mappers. Therefore, the following information cannot be removed from the lightweight access. +
+  `exp`, `iat`, `auth_time`, `jti`, `iss`, `sub`, `typ`, `azp`, `nonce`, `session_state`, `sid`, `scope`, `cnf`
+
+Using a lightweight access token in {project_name}::
+  By applying `use-lightweight-access-token` executor of <<_client_policies, client policies>> to a client, the client can receive a lightweight access token instead of an access token. The lightweight access token contains a claim controlled by a protocol mapper where its setting `Add to lightweight access token`(default OFF) is turned ON. Also, by turning ON its setting `Add to token introspection` of the protocol mapper, the client can obtain the claim by sending the access token to {project_name}'s token introspection endpoint.