Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Bearer token getting too big

Tags:

oauth-2.0

jwt

bearer-token

In an application I'm building, we're using JWT tokens as OAuth Bearer token.

Say we have a resource collection called things, addressable by thing ID, eg. things/1, things/44, etc.

Currently, whenever someone request an access token with the scope things, we include a list of all the rights the user has to each of the things it has rights to:

{
   "sub": "Romeo",
   "scope": [ "things" ],
   "things": {
     "1": [ "read", "write", "delete" ],
     "44": [ "read", "write"],
   }
  // ...
}

This works fine, but things go bad when the user has a lot of things. Because all the rights are encoded inside the JWT token, the token gets really bigger for every thing the user has.

This is not scalable, and I need to find a solution for this. I could scope the tokens to belong to a single thing at a time, but then token management for a client that manages becomes a hell (I need a token that can list the tokens and need to keep one token per thing).

I can't get rid of Bearer tokens because some of our components are not able to talk to the token issuer for multiple reasons.

Is there a standard way to solve this problem? I was thinking about making tokens with the things scope interchangeable, so I can exchange restricted tokens that only have a part of the things in them for other tokens that have other parts of the things in them.

like image 802
romeovs Avatar asked Sep 13 '16 09:09

romeovs

2 Answers

That information doesn't necessarily need to be in the token. As long as the token contains a reference to the user, the Resource Server can do a lookup in to some backend service/database to retrieve the corresponding permissions, associated with exactly the resource that is being requested at that time.

That service doesn't need to be the Authorization Server itself; it can also be a database or any type of backend system (probably the same that the Authorization Server would talk to).

like image 84
Hans Z. Avatar answered Oct 12 '22 17:10

Hans Z.

I think @hans-z has it correct. oAuth does not solve this problem for you.

When you hit the pain barrier, I would suggest your implement a User-Service where "things" can be requested with the JWT token.

To postpone the pain barrier, you might consider changing to JSON Web Tokens or another implementation where token compression is supported or re-code the tokens with protobuf when sent over the network.

like image 21
Heikki Avatar answered Oct 12 '22 17:10

Heikki
Sign in to Comment

Related questions

Keycloak and Spring Boot web app in dockerized environment
OAuth (Instagram) without refresh
Authentication with Asp.Net, RavenDB and OAuth support
Android OAuth2 Bearer token best practices
Google OAuth 2.0 include_granted_scopes not working for installed app
Can email address not verified in oauth2?
How can I configure the expiration time of an Azure AD access token (using ADAL)?
OAuth 2.0 where to securely store access token for long term use
CORS issue with Google Oauth2 for server side webapps
What am I doing wrong in localhost Facebook app development?
pull queues authorization from compute
Google Webmasters API for Java returns empty site list
Oauth2 flow in Flutter app
How to create Google API OAuth Credentials object from alternate source
JWT "invalid_grant" in Signature in Google OAuth2
Organizing a secure channel between a Web app and a Native app
Accessing Google Cloud Storage From Android OAuth2
github oauth with multiple domains
Accessing the current client app using Doorkeeper
How to create a oAuth request using java?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!