[openid-specs-rande] 2kb useable limit?

Mischa Salle msalle at nikhef.nl
Mon May 27 09:11:36 UTC 2019 

Hi Hannah,

On Mon, May 27, 2019 at 09:21:04AM +0200, Hannah Short wrote:
> Ok, thanks everyone :)
> 
> Our current example tokens get up to 1200b without signing information so
> this quickly becomes a real issue if the 2kb restriction is hit.
And this is without having many groups and roles and/or capabilities
inside the token...

> I *think* (could be wrong!) in our case we wouldn't be putting tokens
> directly in a URL.
In any case that's something strongly discouraged, see e.g. the OAuth2
bearer token RFC:
https://tools.ietf.org/html/rfc6750#section-5.3
    "Don't pass bearer tokens in page URLs..."
which of course doesn't mean people don't do it, and indeed the OIDC
spec doesn't mention this:
    https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

However, given the expected size, I think we should push for clients
to use POST (and support for POST is a requirement in any case).

Cheers,
Mischa

> On Thu, 23 May 2019 at 19:44, Roland Hedberg <roland at catalogix.se> wrote:
> 
> > I heard a while ago (actually last week) that there where implementations
> > out there in the wild that had problems with anything bigger the 2kb.
> >
> > So, it’s a real world problem. And I think where it really hits is when
> > the JWT
> > is part of a URL. Like when you have an id_token_hint in an authorisation
> > request.
> >
> > On 23 May 2019, at 18:45, Mischa Salle <msalle at nikhef.nl> wrote:
> >
> > Hi,
> >
> > just to forward what I also wrote on the WLCG AuthZ WG mailing list:
> >
> > just a small note on the token size, also keep in mind that they are
> > (typically) transported as JWT with signature and header and that you
> > can remove some whitespace. All kinds of things that might influence the
> > size. The size limitation might have to do with their use as bearer
> > tokens, meaning they're (often) put in a Authorization header, see the
> > OAuth2 bearer token RFC https://tools.ietf.org/html/rfc6750
> > which might or might not be such a good idea...
> >
> >
> > headers have no strict maximum size, but are often limited to 4kB or
> > 8kB in webservers (although usually can also be increased).
> >
> > Where did you get the 2k limitation?
> >
> > Cheers,
> > Mischa
> >
> >
> >
> > On Thu, May 23, 2019 at 04:36:10PM +0000, Nick Roy wrote:
> >
> > I found this thread, may be useful:
> >
> >
> > https://stackoverflow.com/questions/26033983/what-is-the-maximum-size-of-jwt-token
> >
> > Nick
> >
> > On 23 May 2019, at 9:41, Hannah Short wrote:
> >
> > Hi everyone,
> >
> > I'm wondering whether anyone can clarify why there is a recommended limit
> > of 2kb for OIDC tokens? Is this a limitation in a common library, or a
> > length restriction of HTTP Headers, for example?
> >
> > Cheers,
> > Hannah
> > --
> > openid-specs-rande mailing list
> > openid-specs-rande at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-rande
> >
> >
> >
> >
> > --
> > openid-specs-rande mailing list
> > openid-specs-rande at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-rande
> >
> >
> >
> > --
> > Nikhef                      Room  H155
> > Science Park 105            Tel.  +31-20-592 5102
> > 1098 XG Amsterdam           Fax   +31-20-592 5155
> > The Netherlands             Email msalle at nikhef.nl <msalle at nikhef.nl>
> >  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
> > --
> > openid-specs-rande mailing list
> > openid-specs-rande at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-rande
> >
> >
> > — Roland
> >
> > Were it left to me to decide whether we should have a government
> > without newspapers, or newspapers without a government, I should not
> > hesitate a moment to prefer the latter. -Thomas Jefferson, third US
> > president, architect, and author (1743-1826)
> >
> > --
> > openid-specs-rande mailing list
> > openid-specs-rande at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-rande
> >

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4521 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190527/85fe6273/attachment-0001.bin>

More information about the openid-specs-rande mailing list