Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to reduce the size of the access/refresh tokens in Keycloak?

Tags:

token

oauth-2.0

jwt

keycloak

I am setting a keycloack authentication server to allow authorized users to access a protected resource (OAuth2.0).

The access will be done from an embedded device that has certain restrictions. The main restriction is that the access and refresh tokens cannot be saved if they are longer than 256 characters.

While in The OAuth 2.0 Authorization Framework is silent about the token size, all the identity providers are free to decide about the token size. For example, Facebook's token is less than 256 bytes, the same for Google. But for keycloack, I get a token around 850 bytes! I have tried several encryption algorithms available in the admin console by I still get a large jwt token. Decoding that jwt gives the following:

{
  "jti": "d654564qsd-5fqsdf5-4qsdf-8b25qs-b556456",
  "exp": 1556284611,
  "nbf": 0,
  "iat": 1556270211,
  "iss": "http://myadress:myport/auth/realms/myrealm",
  "aud": "myapp",
  "sub": "45464-445645-4b45641e-456456-45645646",
  "typ": "Bearer",
  "azp": "myapp",
  "auth_time": 1556269490,
  "session_state": "cb95519c-0bf8-4b6b-94e4-a10d9000dbd2",
  "acr": "0",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "user"
    ]
  },
  "resource_access": {},
  "scope": "readwrite"
}

I am actually not interested at all in the data in the tokens and I am not parsing it. I just need the token to be able to access the resource. Hence, is there a way to reduce the size of the token to less than 256? if no, what is the best result I can get?

Thank you in advance

like image 567
Safwen Avatar asked May 02 '19 15:05

Safwen

People also ask

What is the maximum length of refresh token?

What are the maximum lengths of access token and refresh token? The lengths of access token and refresh token are related to the information encoded in the tokens. Currently, each of the two tokens contains a maximum of 1024 characters.

How do I change the refresh token time in Keycloak?

The refresh tokens lifespan is defined by the "Client Session Max" parameter in the "Tokens" tab of the Realm settings. It can also be overridden on individual clients level under the "Advanced Settings" menu of the client settings page. The maximum time before a refresh token is expired and invalidated.

What is the best way to store refresh token?

Access token and refresh token shouldn't be stored in the local/session storage, because they are not a place for any sensitive data. Hence I would store the access token in a httpOnly cookie (even though there is CSRF) and I need it for most of my requests to the Resource Server anyway.

What is access token lifespan Keycloak?

When offline session max limited mode is activated, the offline token expires after 60 days regardless of using the offline token for a refresh token action.

1 Answers

Also try to change signing algorithm. RSA256 ~354 symbols, ESA256 - 86 symbols, HS256 - 43 symbols. Could be configured using realm -> token -> default token algorithm or on client page

like image 188
Bogdan Avatar answered Sep 18 '22 14:09

Bogdan
Sign in to Comment

Related questions

How to automatically refresh expired token with AFOAuth2Manager?
how to generate OAuth client identifier and client secret?
Override AccessTokenExpireTimeSpan
VK Oauth: Security Error
Do Facebook has a refresh token of OAuth?
Google OAuth 2 and state parameter values need to be registered in redirect url
Android - how to get google plus access token?
OAuth-2.0/JWT - guidance about when to use scope vs roles
Decrypt OAuth 2.0 access token
Box oauth2: Invalid grant_type parameter or parameter missing
Multiple IdentityServer Federation : Error Unable to unprotect the message.State
Keycloak JAX-RS and Postman Authorization (Auth URL)
Clear the session/cache/cookie in the JavaFX WebView
Instagram API: do scopes work with OAuth2 implicit authentication flow?
Google oauth 2.0 API password change Username and Password not accepted
AngularJS and Google OAuth2 redirect_uri
How can I add token authentication to my IIS so as to secure files in a folder?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!