JWT access token public information and size
Right now my Spring OAuth2 JWT access token contains following information:
Is it safe to have authorities in public access in this JWT token ?
Also, the size of this token is 1500 bytes. Is it normal for JWT ? What is the size limitation for JWT tokens ?
I would hide some information from potential attackers, f.e. userId. This helps protect the user from access to personal data.
F.e. if I have some Facebook user's id, I can get him/her page at the URI http://facebook.com/u/{userId}.
You can encrypt JWT with the help of JSON Web Encryption or you can use alternate user unique key, that inaccessible through the URI.
As for the size of a token, there isn't special restrictions. But I think you should decrease the size, if you can because this is a remote call. In your case you can use bits instead of full permission names.
- Calling api request inside an interceptor for jwt refresh token going to an infinite loop
- Blazor WASM - Component State from Server Missing
- Spring security JWT without OAuth
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- Azure Access token just created but not capable to verify that is authentic
- Invalidation of previous JWT Tokens in Django Rest Framework
- Use delegated permissions with Client App Registration
- Create middleware which rewrites headers and redirects url to API server
- Using Postman Vault secrets in JWT generation in Pre-request script
- JWT token authentication fails with message "PII is hidden"
- How to decode JWT Token?
- Authorized Client Applications not working with azure-cli
- Getting user data through an Azure AD OAuth login - React Native Expo App
- How to properly handle token expiry with Auth.js (NextAuth v5)?
- Two blazor server apps sharing same Authentication Library Project and same Library Project for SignalR communication
- Error with autowiring in WebSecurityConfiguration bean Spring boot security
- java-jwt with public/private keys
- Azure generation token invalid signature
- What is secret key for JWT based authentication and how to generate it?
- How to generate JWT in PHP
- Is it possible to create a JWT authentication or something similar in Node.js without using frameworks?
- Generating JWT token with JwtUtil class in Spring Boot resulting in NullPointerException
- Cannot find a way to decrypt a JWE token in python (but created in ASP.Net) using jwcrypto
- Node.js JWT refresh token in express middleware
- Why isn't my "refresh token" cookie included in Axios requests, even with withCredentials enabled?
- How to verify JWT id_token produced by MS Azure AD?
- Problem with JWT authorization in ASP.NET Core
- Options for token storage and refresh in SPAs
- How can I decode a google OAuth 2.0 JWT (OpenID Connect) in a node app?
- Revoking JWT with No Expiration