Whould you be so kind to help me find a solution to the problem: I need to shorten authorization_code and token which I get using Authorization Code Grant Flow. I am using Keycloak server version 18 but can try to switch to another version if that helps me solve the problem.
Thanks in advance!
I don’t think there is a way to shorten the authorization_code out of the box in Keycloak. You’ll need to alter the authenticator to do that.
On the other hand, if you are receiving the token via url, then you are using the implicit flow. You can change to standard flow and get the token via HTTP request.
As the authorization_code is pretty short and the token is pretty large, I suppose standard flow will solve your problem.
If this is a mobile app or single page application, you should enable PKCE.
Hi, Welton Rodrigo.
Thank you for the answer.
I’m already using standard flow, I get an authorization_code in browser redirect, and I get a JWT token via HTTP request.
You mentioned altering authenticator - could you point out where exactly? I see a solution in reimplementing OIDC login protocol but maybe there is a simpler solution…
Ok. Probably not a good idea to cook your own spinoff protocol.
Here a quickstart on making your own authenticator: Keycloak Tutorial Series - Authenticator Part 1 - YouTube
You could edit the scopes or client attribute mappers to remove the uneccessary claims from the tokens or configure the mappers get to include the claims only in the user info, not in the tokens.
Another way to shorten the access/id tokens is to reduce the bit-length of the RSA key used to sign the tokens. Depending on your security needs, 1024 bit length may be ok (but not recommended), 2048 bits are definitely enough. Shorter RSA keys → shorter JWT signature part → shorter JWT.