diff --git a/docs/documentation/server_admin/images/add-mapper.png b/docs/documentation/server_admin/images/add-mapper.png index f199cde627..ac02689ec8 100644 Binary files a/docs/documentation/server_admin/images/add-mapper.png and b/docs/documentation/server_admin/images/add-mapper.png differ diff --git a/docs/documentation/server_admin/images/mapper-config.png b/docs/documentation/server_admin/images/mapper-config.png index 12c5e7ff3b..5710a10bf4 100644 Binary files a/docs/documentation/server_admin/images/mapper-config.png and b/docs/documentation/server_admin/images/mapper-config.png differ diff --git a/docs/documentation/server_admin/topics/clients/client-policies.adoc b/docs/documentation/server_admin/topics/clients/client-policies.adoc index aec63a3841..e0bb0b5626 100644 --- a/docs/documentation/server_admin/topics/clients/client-policies.adoc +++ b/docs/documentation/server_admin/topics/clients/client-policies.adoc @@ -128,6 +128,7 @@ One of several purposes for this executor is to realize the security requirement * Enforce prohibiting implicit and hybrid flow * Enforce checking if a PAR request includes necessary parameters included by an authorization request * Enforce <<_dpop-bound-tokens,DPoP-binding tokens>> is used (available when `dpop` feature is enabled) +* Enforce <<_using_lightweight_access_token, using lightweight access token>> [[_client_policy_profile]] === Profile diff --git a/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc b/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc index a5ae151f07..410faf3e89 100644 --- a/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc +++ b/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc @@ -66,3 +66,16 @@ Service account sessions provide the following details: Use the *Script Mapper* to map claims to tokens by running user-defined JavaScript code. For more details about deploying scripts to the server, see link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}]. When scripts deploy, you should be able to select the deployed scripts from the list of available mappers. + +[[_using_lightweight_access_token]] +== Using lightweight access token +The access token in {project_name} contains sensitive information, including Personal Identifiable Information (PII). +Therefore, if the resource server does not want to disclose this type of information to third party entities such as clients, {project_name} supports lightweight access tokens that remove PII from access tokens. +Further, when the resource server acquires the PII removed from the access token, it can acquire the PII by sending the access token to {project_name}'s token introspection endpoint. + +Information that cannot be removed from a lightweight access token:: + Protocol mappers can controls which information is put onto an access token and the lightweight access token use the protocol mappers. Therefore, the following information cannot be removed from the lightweight access. + + `exp`, `iat`, `auth_time`, `jti`, `iss`, `sub`, `typ`, `azp`, `nonce`, `session_state`, `sid`, `scope`, `cnf` + +Using a lightweight access token in {project_name}:: + By applying `use-lightweight-access-token` executor of <<_client_policies, client policies>> to a client, the client can receive a lightweight access token instead of an access token. The lightweight access token contains a claim controlled by a protocol mapper where its setting `Add to lightweight access token`(default OFF) is turned ON. Also, by turning ON its setting `Add to token introspection` of the protocol mapper, the client can obtain the claim by sending the access token to {project_name}'s token introspection endpoint.