thirdroom icon indicating copy to clipboard operation
thirdroom copied to clipboard

Published 20 hours ago verified publisher icon matrix-org

Keycloak bearer tokens issued for thirdroom.io are enormous

Open ara4n opened this issue 2 years ago • 2 comments

My access token in an OIDC world with KC has ended up being 1743 bytes long (of base64). This is crazy long, especially given how many requests Matrix does, and especially given we finally stripped down the size of access_tokens in synapse to be something sensible in https://github.com/matrix-org/synapse/pull/5588, inspired by https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/

ara4n avatar Aug 17 '22 22:08 ara4n

It is up to the OIDC Provider to decide what kind of bearer token to issue. It's not dictated in the standard.

As far as I know Keycloak doesn't support the use of lightweight/opaque tokens and instead only uses JWTs which do end up being large.

There is a thread about adding this feature: https://github.com/keycloak/keycloak/discussions/9713

If token size is important then a different OP might be more suitable. n.b. I think HTTP/2 does header compression so perhaps it is less of an issue than it might have been in the past?

hughns avatar Aug 18 '22 10:08 hughns

yup, good point that HPACK should squish the whole thing down to a single byte for HTTP/2 & 3

ara4n avatar Aug 18 '22 23:08 ara4n