/
EUREKA-704 Lightweight access tokens configuration in Keycloak

EUREKA-704 Lightweight access tokens configuration in Keycloak

Owned by Mykola Makhin
Last updated: Mar 17, 2025
3 min read

Spike overview

EUREKA-704: Kong fails to create large amount of tenantsClosed

Fix 403 Forbidden errors when lightweight access tokens are used for folio-backend-admin-client

Background

When we create a lot of tenants we have a lot of realms in Keycloak, since we have a Keycloak realm per tenant, and when we obtain access token for Keycloak client folio-backend-admin-client that access token contains resource_access information for every realm. This makes access token very big, and it no longer fits into HTTP header.

Possible solution for that is to use lightweight access token functionality of Keycloak (see https://www.keycloak.org/docs/latest/server_admin/index.html#_using_lightweight_access_token ).

But - enabling lightweight access token was causing 403 Forbidden errors.

Problem statement

Enabling lightweight access token for folio-backend-admin-client caused 403 Forbidden errors, but not using lightweight access token is leading to size of access token being too big to fit into HTTP header.

Proposed Solutions

Enable “realm roles” mapper for lightweight access token.

Step 1 (prerequisite) - enable lightweight access token for folio-backend-admin-client

In order to enable lightweight access token, do the following:

  • 1.1 - Enable “Always use lightweight access token“ for folio-backend-admin-client client in “Advanced” client settings

    image-20250314-171642.png

    image-20250314-171656.png

    image-20250314-171707.png

     

Step 2 (solution) - enable “realm roles” mapper for lightweight access token of folio-backend-admin-client

  • 2.1 - Go to “Client scopes” and open scope folio-backend-admin-client-dedicated, in “Mappers” click on “Add mapper” → “From predefined mappers”

    Screenshot 2025-03-14 at 17.24.33.png

  • 2.2 - Choose “realm roles” mapper

    Screenshot 2025-03-14 at 17.24.43.png

  • 2.3 - Add that mapper, go to it’s details, and enable “Add to lightweight access token” checkbox, and click “Save”

    Screenshot 2025-03-14 at 17.24.52.png

Testing:

Following flows were executed in order to verify the solution:

  • tenant creation - new tenants were created, more than 30 of them, using the token obtained from folio-backend-admin-client as authorization

  • tenant entitlement - entitle application like app-platform-minimal for any tenant, using the token obtained from folio-backend-admin-client as authorization

 

Related content