[openid-specs-rande] 2kb useable limit?
Paul Millar
paul.millar at desy.de
Mon May 27 09:56:35 UTC 2019
Hi Mischa,
On 27/05/2019 11:11, Mischa Salle wrote:
>> Our current example tokens get up to 1200b without signing information so
>> this quickly becomes a real issue if the 2kb restriction is hit.
> And this is without having many groups and roles and/or capabilities
> inside the token...
>
[...]
>
> However, given the expected size, I think we should push for clients
> to use POST (and support for POST is a requirement in any case).
I might be talking at cross-purposes here, but we have use-cases that
involve tokens being included in the HTTP Authorization header, whether
they are OIDC access tokens or OAuth2 tokens (SciTokens).
The most immediate use is to authorise data transfers and namespace
operations (via WebDAV) but also elsewhere for bespoke REST APIs.
Cheers,
Paul.
More information about the openid-specs-rande
mailing list