In our project we have a lot of roles and composite roles designed to feet the needed of the stakeholders. We use Client’s Full scope option and thus we are wondering until where we can continue to add claims in the access token. Is there a limit in terms of size (Kb) to be aware of ?
No, there is no size limit. But if your token is huge:
- then infrastructure may have reach own limits - e.g. nginx has default request header buffer size 4kB and token is sent as part of request headers usually
- browser may denies to save cookie (if you use cookie to save access token), typical browser single cookie limit is ~4KB
So it is always good idea to keep token size minimal - for example with role/group filtering. You can use userinfo endpoint/response if you will need more user details instead of token.
Thanks you very much. We shall consider your proposition to use userinfo.
Is there any other way which we can use to retrieve the logged in user role from the keycloak.
I am using spring boot adapter for my application. We are facing same issue. If token size is large it blocked on server level.
role-ldap-mapper with proper filter for the used client. Doc: https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers
So user may have a thousands roles, but filter selects only roles relevant for that particular client. That is usually a few roles, so no problem with infrastructure limits.
But isn’t that only for LDAP users? So we have around 20 microservices each of which may have around a hundred roles. The token issued at the login page of our UI contains all the roles for each microservice.
Now if we somehow manage to include the roles that are only relevant to a client, what happens to the token issued in the UI (that I imagine won’t have any role from any microservice) when it’s been passed to the backend?
– update –
So I managed to exclude client roles (except for client ‘account’) from the access token. Now when the request reaches the backend, it fails immediately with error “Failed to obtain policy enforcer”. If I put the roles back in, everything works just fine. Isn’t really a way to tell the Spring Boot adapter to query the roles for that user that is relevant to the client? We have so many roles.
I was confused by the same problem.