Hello all,
I have implemented authorization code flow for a client who has full-stack app, and at the end of the flow, access token is returned to the front-end. Initial idea is to store the access token to local storage, but it’s possible to change this, if it turns out to be insecure, I see that there is a lot of debate about this.
What bothers me is that access token seems to contain information about the user as well.
Does anyone knows is it possible to remove this data from the token?
{ "iat": 1626951280,
"auth_time": 1626951277,
"jti": "8d22f905-e9be-4f0b-9728-08f73a5ada05",
"iss": "https://idp-testcloudapp/auth/realms/Demo",
"aud": "test.com",
"sub": "30fa93xc-b744-489a-bd2f-5e3277311346",
"typ": "Bearer",
"azp": "test.com",
"session_state": "7re4e92a-57a9-47e8-b385-986ea431e05e",
"acr": "1",
"allowed-origins": [
"https://test-sso.web.app",
"http://localhost:3000"
],
"scope": "openid profile email",
"email_verified": false,
"name": "test Local",
"preferred_username": "test-local",
"given_name": "Test",
"family_name": "Local",
"email": "test@test.com"
}
Additional bonus question, is it possible to reduce the length of the access token? For example, in open id specs, access token looks like this: “access_token”: “SlAV32hkKG”, but one generated from keycloak is a lot longer.