Right now my Spring OAuth2 JWT access token contains following information:
Is it safe to have authorities in public access in this JWT token ?
Also, the size of this token is 1500 bytes. Is it normal for JWT ? What is the size limitation for JWT tokens ?
I would hide some information from potential attackers, f.e. userId. This helps protect the user from access to personal data.
F.e. if I have some Facebook user's id, I can get him/her page at the URI http://facebook.com/u/{userId}.
You can encrypt JWT with the help of JSON Web Encryption or you can use alternate user unique key, that inaccessible through the URI.
As for the size of a token, there isn't special restrictions. But I think you should decrease the size, if you can because this is a remote call. In your case you can use bits instead of full permission names.
I think you should keep the minimum information in token so that the size is not increased because it is traversing with each request from client to server. If you want to keep more information associate with this jwt then you can use redis and keep all the information in redis associate with this token, like you permissions, second benefits would be you will able to revoke the jwt tokens when user will do the logout. I am pretty sure right now after logout the user you are just removing that from you client side only but If you will use the token again and the token is not expired then that will be used.
