Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it possible to disable mirroring of custom claims in JWT #3348

Closed
4 of 6 tasks
tlyng opened this issue Nov 9, 2022 · 3 comments
Closed
4 of 6 tasks

Make it possible to disable mirroring of custom claims in JWT #3348

tlyng opened this issue Nov 9, 2022 · 3 comments
Labels
feat New feature or request.

Comments

@tlyng
Copy link

tlyng commented Nov 9, 2022
edited
Loading

Preflight checklist

Describe your problem

In a project I'm working on we are using custom claims and JWT in our solution. We've encoded group membership in a custom top-level claim called "principals". This custom claim can be of some size and when it's automatically mirrored back to the ext structure the JWT get twice as big. Eventually the situation popped up where the size of the JWT was to big for browsers (4096-4097 byte limit usually) to transfer to the back end. As a result of this the JWT get partially transfered and the receiving backend is unable to validate and decode the token.

Describe your ideal solution

An ideal solution would be to introduce another configuration flag for hydra, which allows us to disable / enable this custom claim mirroring functionality.

A configuration flag for allowing custom top level claims already exist: oauth2.allowed_top_level_claims , adding another flag oauth2.mirror_top_level_claims: true / false (default: true) would enable us to reduce the size of the JWT token. This won't solve our issue permanently, but at least it would reduce the chance of it ever occuring. Accodring to #1974 this mirroring functionality is supposed to be a temporary solution to maintain backward compability. This suggested solution won't remove this backward compability, only allow users to disable it if wanted (default enabled).

Workarounds or alternatives

A alternative solution for us is forking hydra and adding this functionality to our fork. We really don't want to maintain our own fork, so having this functionality in upstream sources would be preferable for us.

Version

v1.10.5

Additional Context

No response
@tlyng tlyng added the feat New feature or request. label Nov 9, 2022
tlyng added a commit to tlyng/hydra that referenced this issue Nov 9, 2022
@tlyng
feat: ory#3348 changes for adding support for toggling mirroring of c…
a58137b 
…ustom claims
@dastein1
Copy link
Contributor

I'm currently evaluating ory/hydra for our use-case. The only roadblock thus far is, that the mirroring of jwt claims blows up our already big jwts even further. Would a PR that introduces this config (mirror_top_level_claims) have any chance?

@kmherrmann
Copy link
Contributor

Thanks for checking in - yes, a configuration option would be fine, PR welcome!
@hperl @aeneasr FYI

@dastein1 dastein1 mentioned this issue Jul 5, 2023
Merged
7 tasks
@dastein1
Copy link
Contributor

dastein1 commented Jul 6, 2023

I've created the PR. It's closely aligned to what @tlyng did, but updates all snapshots and tests for it. I was not able to join slack (I never got the invite). Could I get another invite to further discuss the PR there?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tlyng @dastein1 @kmherrmann