My tokens currently sit at around 1kb. This is with the permissions fields from the RBAC settings, and one name-spaced claim with a timestamp for the end of the billing cycle (basically when their subscription is up). We are discussing adding more values, where it will likely grow to 2-3kb.
I worry that our access tokens won’t be able to reasonably hold all data required to authorize requests for all of the relevant routes. Do we need to move away from self contained tokens? What is the alternative?
All I can think is that we start using only a user identifier in the access token, and then request the claims info from an authorization service on each request, caching as needed. It feels like I’m fundamentally misunderstanding the point of access tokens, since the only solution I can think of is to make an outside request (completely antithetical to the JWT mantra).
I’m not sure how much of an effect it will have on the size of tokens, but I’ve definitely seen where roles are used instead of adding actual permissions to tokens. That is, you would infer permissions based on the roles in order to consolidate.