I am currently using Keycloak (v11) as an identity broker for authentication and authorization. One issue I am facing is that the JWT tokens generated by Keycloak tend to get very large if a user has many roles. Currently, the project that uses Keycloak for identity brokering consists of multiple micro services (clients, in Keycloak terms). This leads me to ask two questions:
- Why is it that a specific client / resource asks for a JWT, the JWT comes with all client roles for that user (including client roles for other clients)? Would it break any pattern in Open ID Connect if I changed the default client scope, so that only the specific client roles related to a client would appear? Or would that specific pattern have a different name?
- Is there a OIDC related pattern, where one first authenticates and then “lazy evaluates” authorization related questions like roles? That is, I would like some agent Bob to authenticate via Keycloak, and whenever Bob wants to use some service protected by a role, Bob asks Keycloak whether he has that specific role. The purpose of this would be to minimize the token size.