How to reduce the size of the access/refresh tokens in Keycloak?

Question

I am setting a keycloack authentication server to allow authorized users to access a protected resource (OAuth2.0).

The access will be done from an embedded device that has certain restrictions. The main restriction is that the access and refresh tokens cannot be saved if they are longer than 256 characters.

While in The OAuth 2.0 Authorization Framework is silent about the token size, all the identity providers are free to decide about the token size. For example, Facebook's token is less than 256 bytes, the same for Google. But for keycloack, I get a token around 850 bytes! I have tried several encryption algorithms available in the admin console by I still get a large jwt token. Decoding that jwt gives the following:

{
  "jti": "d654564qsd-5fqsdf5-4qsdf-8b25qs-b556456",
  "exp": 1556284611,
  "nbf": 0,
  "iat": 1556270211,
  "iss": "http://myadress:myport/auth/realms/myrealm",
  "aud": "myapp",
  "sub": "45464-445645-4b45641e-456456-45645646",
  "typ": "Bearer",
  "azp": "myapp",
  "auth_time": 1556269490,
  "session_state": "cb95519c-0bf8-4b6b-94e4-a10d9000dbd2",
  "acr": "0",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "user"
    ]
  },
  "resource_access": {},
  "scope": "readwrite"
}

I am actually not interested at all in the data in the tokens and I am not parsing it. I just need the token to be able to access the resource. Hence, is there a way to reduce the size of the token to less than 256? if no, what is the best result I can get?

Thank you in advance

Nothing so far... I had to work around it by spliting the token on 4 different parts... wasted processing time. — Safwen, Aug 18 '20 at 15:29

score 3 · Answer 1 · answered Jan 23 '21 at 11:09

3

Also try to change signing algorithm. RSA256 ~354 symbols, ESA256 - 86 symbols, HS256 - 43 symbols. Could be configured using realm -> token -> default token algorithm or on client page

answered Jan 23 '21 at 11:09

Bogdan

702
3
6
22

score 2 · Answer 2 · edited Oct 21 '21 at 06:46

One aspect of the token size are the roles. If you don't need the roles to be in the token because you don't care about roles or you query the roles differently (eg. direct access via admin api), then use client scopes to remove the unnecessary roles. I know this may not be what u wanted to hear but it may help some people to get their token below 1 kB ;)

Tip: You don't need to create a 'Client Scope'. Its enough to enable specific Scope in the Client config tab and leave it empty: Keycloak Admin UI > Client > Tab: Scope > Disable: Full Scope Allowed

How to reduce the size of the access/refresh tokens in Keycloak?

2 Answers2