Short Access Tokens

Our access tokens should be usable across multiple backend-servers. Sending > 1 kB of access token with each request is not great for performance.

AFAIK OpenID Connect does not specify that the access token has to be a JWT-Token - the information provided in the token could also be obtained through the UserInfo-Endpoint.

Keycloak seems not to support short tokens, the minimum I could get it was ~800 Bytes. (Signing using ES256 or HS256 instead of RS256; moving roles, profile, email&co to userinfo)

Are there recommended ways on how to get the sent token down to ~30-100 Bytes?

I think of developing a plugin for a proxy which will handle the OIDC-Part using Authentication Code Flow. It will maintain a session (session on redundant service :thinking:), store the tokens there and insert it in every request. But that feels pretty complicated.

Btw: There is a issue for reference tokens, but I feel everyone has different expectations of how they should look like: [KEYCLOAK-8278] Reference tokens (non-opaque tokens) - Red Hat Issue Tracker

Any advice? Thanks in advance!!

1 Like