[Openid-specs-fapi] Issue #273: Security considerations re large access tokens (openid/fapi)
issues-reply at bitbucket.org
Wed Oct 23 12:46:55 UTC 2019
New issue 273: Security considerations re large access tokens
A question has been raised about whether there any maximum lengths for access tokens.
There doesn’t seem to be anything in any of the underlying specs, however if tokens exceed 8k then they may be rejected by most standard web servers. Best practice seems to be to limit header size to prevent DDOS attacks.
Do we need anything in FAPI on this?
More information about the Openid-specs-fapi