Hello,
We’re currently managing a Keycloak server with multiple realms (tens of them) and encountered an issue where our REST API calls fail with ‘HTTP Error 431 Request Header Fields Too Large’ due to JWT size limitations.
We found a workaround by marking certain client scopes as ‘Optional’ in the client configuration, which reduces the amount of data included in the JWT. While this solves our immediate problem, we want to ensure this approach is secure.
Specifically, I’d like to know:
- Are there any security implications or downsides to making client scopes optional?
- Is this a recommended approach for handling large JWTs?
This entirely depends on what your clients do with the JWT.
The optional scope are only included if explicitly requested, so if a client does need the information and does not request it, it will be missing. If the client handles this correctly (anything missing is giving a negative on rights evaluation) the it will be secure.
If the client does not need the info, then it is actually good practice not to include it as it avoids leaking any thing to that client.
1 Like
Another option to avoid adding too much information to the JWT is calling the UserInfo [1] endpoint to get additional claims about the authenticated end user.
[1] Final: OpenID Connect Core 1.0 incorporating errata set 2
1 Like
