Reputation: 178
Remove Roles Information from JWT token
I am using keycloak for authentication for the application. I want to remove the realm access from JWT token generated by keycloak.
- Is it a bad practice to have realm access (roles) ion JWT token?
- Is there a way to remove realm access from JWT token generated by keycloak service?
Upvotes: 2
Views: 2921
Answers (2)
Reputation: 387
I think, it depends on your security policies exist in your software boundary or environment. We had a project that existing user or client roles inside JWT token introduced a major security issue by security analysts, although we had launched it many times in other critical environments.
By the way, some software frameworks do some proactive authorization checks by using roles coming inside JWT and so, make them mandatory for these kind of systems based their security design.
So to wrap it up,
Try enquiry security analysts of your deployment s environments about it.
Upvotes: -2
Reputation: 415
I may be wrong but I don't see this as a bad practice because the Token is signed. A client won't be able to change the content of the token payload without knowing your secret (The token signature would be false). Just be sure to check the token validity.
If you want to change the information provided in your token, you should have a look at the "Client Scope" section.
From there, you'll be able to change the content of your jwt token.
Upvotes: 2
Related Questions
- Can't access Roles in JWT Token .NET Core
- Keycloak - receiving account service roles in JWT token, but expect custom roles
- Keycloak JWT to contain user real and client role
- JWT (java) : roles in my token is not considered by HTTP-Request with error 403
- How to remove attributes from the Keycloak JWT access token?
- keycloak remove default roles that are added automatically
- how to include authenticated user's roles in JWT?
- spring : how to apply role to existing JWT token
- Extract the role from an Oauth bearer token
- Roles using JWT