如何减少 Keycloak 中访问/刷新令牌的大小?
[英]How to reduce the size of the access/refresh tokens in Keycloak?
问题描述
I am setting a keycloack authentication server to allow authorized users to access a protected resource (OAuth2.0).
我正在设置一个 keycloack 身份验证服务器,以允许授权用户访问受保护的资源 (OAuth2.0)。
The access will be done from an embedded device that has certain restrictions.访问将通过具有某些限制的嵌入式设备完成。 The main restriction is that the access and refresh tokens cannot be saved if they are longer than 256 characters.主要限制是访问和刷新令牌如果超过 256 个字符则无法保存。
While in The OAuth 2.0 Authorization Framework is silent about the token size, all the identity providers are free to decide about the token size.虽然在OAuth 2.0 授权框架中对令牌大小保持沉默,但所有身份提供者都可以自由决定令牌大小。 For example, Facebook's token is less than 256 bytes, the same for Google.比如Facebook的token小于256字节,谷歌也是一样。 But for keycloack, I get a token around 850 bytes!但是对于 keycloack,我得到了一个大约 850 字节的令牌! I have tried several encryption algorithms available in the admin console by I still get a large jwt token.我已经尝试了管理控制台中可用的几种加密算法,但我仍然得到一个很大的 jwt 令牌。 Decoding that jwt gives the following:解码 jwt 给出以下内容:
{
"jti": "d654564qsd-5fqsdf5-4qsdf-8b25qs-b556456",
"exp": 1556284611,
"nbf": 0,
"iat": 1556270211,
"iss": "http://myadress:myport/auth/realms/myrealm",
"aud": "myapp",
"sub": "45464-445645-4b45641e-456456-45645646",
"typ": "Bearer",
"azp": "myapp",
"auth_time": 1556269490,
"session_state": "cb95519c-0bf8-4b6b-94e4-a10d9000dbd2",
"acr": "0",
"allowed-origins": [],
"realm_access": {
"roles": [
"user"
]
},
"resource_access": {},
"scope": "readwrite"
}
I am actually not interested at all in the data in the tokens and I am not parsing it.我实际上对令牌中的数据根本不感兴趣,我也没有解析它。 I just need the token to be able to access the resource.我只需要令牌就可以访问资源。 Hence, is there a way to reduce the size of the token to less than 256?因此,有没有办法将令牌的大小减少到小于 256? if no, what is the best result I can get?如果不是,我能得到的最好结果是什么?
Thank you in advance先感谢您
2 个解决方案
解决方案1
1 2020-09-18 16:29:10
One aspect of the token size are the roles.令牌大小的一方面是角色。 If you don't need the roles to be in the token because you don't care about roles or you query the roles differently (direct access via admin api), then use client scopes to remove the unnecessary roles.如果您不需要角色在令牌中,因为您不关心角色或者您以不同方式查询角色(通过管理 api 直接访问),则使用客户端范围删除不必要的角色。 I know this may not be what u wanted to hear but it may help some people to get their token below 1MB ;)我知道这可能不是你想听到的,但它可能会帮助一些人将他们的令牌低于 1MB ;)
Tip: You don't need to create a 'Client Scope'.提示:您不需要创建“客户端范围”。 Its enough to enable specific Scope in the Client config tab and leave it empty: Keycloak Amdmin UI > Client > Tab: Scope > Disable: Full Scope Allowed足以在客户端配置选项卡中启用特定范围并将其留空:Keycloak Amdmin UI > Client > Tab: Scope > Disable: Full Scope Allowed
解决方案2
1 2021-01-23 11:09:56
Also try to change signing algorithm.还尝试更改签名算法。 RSA256 ~354 symbols, ESA256 - 86 symbols, HS256 - 43 symbols. RSA256 ~354 个符号,ESA256 - 86 个符号,HS256 - 43 个符号。 Could be configured using realm -> token -> default token algorithm or on client page可以使用领域 -> 令牌 -> 默认令牌算法或在客户端页面上进行配置
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.