[openid-specs-rande] 2kb useable limit?
Hannah Short
hannah.short08 at gmail.com
Mon May 27 07:21:04 UTC 2019
Ok, thanks everyone :)
Our current example tokens get up to 1200b without signing information so
this quickly becomes a real issue if the 2kb restriction is hit. I *think*
(could be wrong!) in our case we wouldn't be putting tokens directly in a
URL.
Cheers,
Hannah
On Thu, 23 May 2019 at 19:44, Roland Hedberg <roland at catalogix.se> wrote:
> I heard a while ago (actually last week) that there where implementations
> out there in the wild that had problems with anything bigger the 2kb.
>
> So, it’s a real world problem. And I think where it really hits is when
> the JWT
> is part of a URL. Like when you have an id_token_hint in an authorisation
> request.
>
> On 23 May 2019, at 18:45, Mischa Salle <msalle at nikhef.nl> wrote:
>
> Hi,
>
> just to forward what I also wrote on the WLCG AuthZ WG mailing list:
>
> just a small note on the token size, also keep in mind that they are
> (typically) transported as JWT with signature and header and that you
> can remove some whitespace. All kinds of things that might influence the
> size. The size limitation might have to do with their use as bearer
> tokens, meaning they're (often) put in a Authorization header, see the
> OAuth2 bearer token RFC https://tools.ietf.org/html/rfc6750
> which might or might not be such a good idea...
>
>
> headers have no strict maximum size, but are often limited to 4kB or
> 8kB in webservers (although usually can also be increased).
>
> Where did you get the 2k limitation?
>
> Cheers,
> Mischa
>
>
>
> On Thu, May 23, 2019 at 04:36:10PM +0000, Nick Roy wrote:
>
> I found this thread, may be useful:
>
>
> https://stackoverflow.com/questions/26033983/what-is-the-maximum-size-of-jwt-token
>
> Nick
>
> On 23 May 2019, at 9:41, Hannah Short wrote:
>
> Hi everyone,
>
> I'm wondering whether anyone can clarify why there is a recommended limit
> of 2kb for OIDC tokens? Is this a limitation in a common library, or a
> length restriction of HTTP Headers, for example?
>
> Cheers,
> Hannah
> --
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>
>
>
>
> --
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>
>
>
> --
> Nikhef Room H155
> Science Park 105 Tel. +31-20-592 5102
> 1098 XG Amsterdam Fax +31-20-592 5155
> The Netherlands Email msalle at nikhef.nl <msalle at nikhef.nl>
> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
> --
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>
>
> — Roland
>
> Were it left to me to decide whether we should have a government
> without newspapers, or newspapers without a government, I should not
> hesitate a moment to prefer the latter. -Thomas Jefferson, third US
> president, architect, and author (1743-1826)
>
> --
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190527/f5a2f9b4/attachment.html>
More information about the openid-specs-rande
mailing list