Keycloak Cookies are too large

I’m having an issue with Keycloak Cookies. The proxy that I have in place, is very strict and has header size limitations, basically rendering Keycloak cookies too large.

All the session ids and identity ids are all fine, and my JWT isn’t large on its own ie. doesn’t contain a bunch of roles, etc. yet all of this together results in header sizes of ~6-7KB.

In what ways can I reduce the size? What are my options?

Also, I noticed there are the “_LEGACY” duplicates of all of these. I looked into it, but couldn’t find the reasoning behind this - except that it supposedly is needed for older browsers on macos?

What are they really, and why are they needed? Can I somehow remove these legacy cookies?

If you have extended the user model with additional attributes, and/or added many groups, you might want to check the Assigned Default Client Scopes in your clients. I think the default is to add the complete “profile” of the user and this carries possibily all the attributes of the user. Perhaps instead you could use the Mappers and only map those specific attributes required in each client. I think this might help to reduce the size of the tokens, or at least, this is something I would check … in case it is worth.

Thanks a lot.

Yeah, this was more or less the first thing I’ve checked out. Unfortunately, there’s already not a lot of groups, scopes, etc. or attributes contained within the JWTs, so the only thing I noticed are the _LEGACY duplicates.

Any chance you know whether this is needed, or it can be removed?