[Openid-specs-fapi] Issue #273: Security considerations re large access tokens (openid/fapi)

dgtonge issues-reply at bitbucket.org
Wed Oct 23 12:46:55 UTC 2019


New issue 273: Security considerations re large access tokens
https://bitbucket.org/openid/fapi/issues/273/security-considerations-re-large-access

Dave Tonge:

A question has been raised about whether there any maximum lengths for access tokens.

There doesn’t seem to be anything in any of the underlying specs, however if tokens exceed 8k then they may be rejected by most standard web servers. Best practice seems to be to limit header size to prevent DDOS attacks. 

Do we need anything in FAPI on this? 

‌




More information about the Openid-specs-fapi mailing list