Project decision - JWT vs classic sessions

Question

So, I'm building my first project that will be used in production with medium-high traffic.

I've decided to use Keycloak as an IdP for it, NodeJS as a backend, React to frontend (both on TypeScript). For the back-end I want to use a bearer-token as authentication.

As I've been studying about Keycloak, I've seen that it uses JWT tokens filled up with data from the user. I also stumbled across some people that advised AGAINST using JWT tokens with data from the user.

The points that were made seemed pretty valid to me to be honest - but now, what is my alternative to them when using Keycloak? Okay, if I used my own authentication & authorization systems I could just use classic sessions I guess. But I don't know how to implement them in Keycloak. Also, it seems strange to me that somethings as popular and big as Keycloak would use something that would be bad by default (JWT) - so I'm not really sure if I should even change this mechanism.

So, my questions are:

Am I safe to use JWT tokens with user's data? (default for Keycloak) Here's how it looks:

{
  exp: 1645637327,
  iat: 1645601327,
  jti: 'removed',
  iss: 'http://localhost:8080/auth/realms/supercatalog',
  aud: 'account',
  sub: 'removed',
  typ: 'Bearer',
  azp: 'restapi',
  session_state: '2434f33d-73c4-4f38-8c80-e92356380ffa',
  acr: '1',
  'allowed-origins': [ '' ],
  realm_access: {
    roles: [
      'app-elev',
      'offline_access',
      'uma_authorization',
      'default-roles-supercatalog'
    ]
  },
  resource_access: { restapi: { roles: [Array] }, account: { roles: [Array] } },
  scope: 'email profile',
  sid: 'removed',
  email_verified: false,
  preferred_username: 'elev'
}

If not, what would be an alternative, while still using Keycloak?

score -1 · Answer 1 · answered Feb 24 '22 at 13:26

-1

You can keep the user information to a minimum in the access/id-token and then let the application or API query the UserInfo endpoint separately to get all the user details. The data in the token is pretty open so if it is sent to the browser or is accessible by the user, then that can be a problem. But if it is all inside your backend, then there is less a problem.

What are Keycloak's OAuth2 / OpenID Connect endpoints?

answered Feb 24 '22 at 13:26

Tore Nestenius

16,431
5
30
40

It is really opinion based question/answer. I would say with my expetise: why should I query IDP multiple times, when I can get everything in the access/id token directly? – Jan Garaj Feb 24 '22 at 14:53
There are no one answer for this question, its all about trade-offs. One issue is that if you add all the personal data in the token, then the token might be pretty big, and in some systems, the tokens are included inside the session cookie, then the session cookie also gets very big... So, then keeping less important user-data outside the token, makes its smaller and you get a more performant system. – Tore Nestenius Feb 24 '22 at 16:08
Correct, there is no one answer, so question should be closed. Otherwise, it will be flame between many aproaches. – Jan Garaj Feb 24 '22 at 17:55
I see. I will look into this topic a bit more. Thanks :) – Octavian Niculescu Feb 25 '22 at 14:49

Project decision - JWT vs classic sessions

1 Answers1