stackoom
  简体   繁体   中英

How to reduce the size of the access/refresh tokens in Keycloak?

 原文  2019-05-02 15:40:51       oauth-2.0/ jwt/ token/ keycloak

Question

I am setting a keycloack authentication server to allow authorized users to access a protected resource (OAuth2.0).

The access will be done from an embedded device that has certain restrictions. The main restriction is that the access and refresh tokens cannot be saved if they are longer than 256 characters.

While in The OAuth 2.0 Authorization Framework is silent about the token size, all the identity providers are free to decide about the token size. For example, Facebook's token is less than 256 bytes, the same for Google. But for keycloack, I get a token around 850 bytes! I have tried several encryption algorithms available in the admin console by I still get a large jwt token. Decoding that jwt gives the following:

{
  "jti": "d654564qsd-5fqsdf5-4qsdf-8b25qs-b556456",
  "exp": 1556284611,
  "nbf": 0,
  "iat": 1556270211,
  "iss": "http://myadress:myport/auth/realms/myrealm",
  "aud": "myapp",
  "sub": "45464-445645-4b45641e-456456-45645646",
  "typ": "Bearer",
  "azp": "myapp",
  "auth_time": 1556269490,
  "session_state": "cb95519c-0bf8-4b6b-94e4-a10d9000dbd2",
  "acr": "0",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "user"
    ]
  },
  "resource_access": {},
  "scope": "readwrite"
}

I am actually not interested at all in the data in the tokens and I am not parsing it. I just need the token to be able to access the resource. Hence, is there a way to reduce the size of the token to less than 256? if no, what is the best result I can get?

Thank you in advance

2 answers

solution1
 1  2020-09-18 16:29:10

One aspect of the token size are the roles. If you don't need the roles to be in the token because you don't care about roles or you query the roles differently (direct access via admin api), then use client scopes to remove the unnecessary roles. I know this may not be what u wanted to hear but it may help some people to get their token below 1MB ;)

Tip: You don't need to create a 'Client Scope'. Its enough to enable specific Scope in the Client config tab and leave it empty: Keycloak Amdmin UI > Client > Tab: Scope > Disable: Full Scope Allowed

solution2
 1  2021-01-23 11:09:56

Also try to change signing algorithm. RSA256 ~354 symbols, ESA256 - 86 symbols, HS256 - 43 symbols. Could be configured using realm -> token -> default token algorithm or on client page

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to specify refresh tokens lifespan in Keycloak How limit access tokens count for each user in keycloak Lifetime of access and refresh tokens Generating refresh tokens and access tokens in node server How to securely store OAuth2 access and refresh tokens in Django Where to store Access and Refresh tokens How to save refresh tokens? How do I generate short lived service account access tokens in Keycloak Support for auto-refresh Access Tokens? Storing Oauth access token and refresh tokens
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM