Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to reduce the size of the access/refresh tokens in Keycloak?

I am setting a keycloack authentication server to allow authorized users to access a protected resource (OAuth2.0).

The access will be done from an embedded device that has certain restrictions. The main restriction is that the access and refresh tokens cannot be saved if they are longer than 256 characters.

While in The OAuth 2.0 Authorization Framework is silent about the token size, all the identity providers are free to decide about the token size. For example, Facebook's token is less than 256 bytes, the same for Google. But for keycloack, I get a token around 850 bytes! I have tried several encryption algorithms available in the admin console by I still get a large jwt token. Decoding that jwt gives the following:

{
  "jti": "d654564qsd-5fqsdf5-4qsdf-8b25qs-b556456",
  "exp": 1556284611,
  "nbf": 0,
  "iat": 1556270211,
  "iss": "http://myadress:myport/auth/realms/myrealm",
  "aud": "myapp",
  "sub": "45464-445645-4b45641e-456456-45645646",
  "typ": "Bearer",
  "azp": "myapp",
  "auth_time": 1556269490,
  "session_state": "cb95519c-0bf8-4b6b-94e4-a10d9000dbd2",
  "acr": "0",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "user"
    ]
  },
  "resource_access": {},
  "scope": "readwrite"
}

I am actually not interested at all in the data in the tokens and I am not parsing it. I just need the token to be able to access the resource. Hence, is there a way to reduce the size of the token to less than 256? if no, what is the best result I can get?

Thank you in advance

like image 567
Safwen Avatar asked May 02 '19 15:05

Safwen


People also ask

What is the maximum length of refresh token?

What are the maximum lengths of access token and refresh token? The lengths of access token and refresh token are related to the information encoded in the tokens. Currently, each of the two tokens contains a maximum of 1024 characters.

How do I change the refresh token time in Keycloak?

The refresh tokens lifespan is defined by the "Client Session Max" parameter in the "Tokens" tab of the Realm settings. It can also be overridden on individual clients level under the "Advanced Settings" menu of the client settings page. The maximum time before a refresh token is expired and invalidated.

What is the best way to store refresh token?

Access token and refresh token shouldn't be stored in the local/session storage, because they are not a place for any sensitive data. Hence I would store the access token in a httpOnly cookie (even though there is CSRF) and I need it for most of my requests to the Resource Server anyway.

What is access token lifespan Keycloak?

When offline session max limited mode is activated, the offline token expires after 60 days regardless of using the offline token for a refresh token action.


1 Answers

Also try to change signing algorithm. RSA256 ~354 symbols, ESA256 - 86 symbols, HS256 - 43 symbols. Could be configured using realm -> token -> default token algorithm or on client page

like image 188
Bogdan Avatar answered Sep 18 '22 14:09

Bogdan