[openid-specs-rande] 2kb useable limit?
Mischa Salle
msalle at nikhef.nl
Mon May 27 11:18:42 UTC 2019
On Mon, May 27, 2019 at 11:56:35AM +0200, Paul Millar wrote:
> Hi Mischa,
>
> On 27/05/2019 11:11, Mischa Salle wrote:
> > > Our current example tokens get up to 1200b without signing information so
> > > this quickly becomes a real issue if the 2kb restriction is hit.
> > And this is without having many groups and roles and/or capabilities
> > inside the token...
> >
> [...]
> >
> > However, given the expected size, I think we should push for clients
> > to use POST (and support for POST is a requirement in any case).
>
> I might be talking at cross-purposes here, but we have use-cases that
> involve tokens being included in the HTTP Authorization header, whether they
> are OIDC access tokens or OAuth2 tokens (SciTokens).
> The most immediate use is to authorise data transfers and namespace
> operations (via WebDAV) but also elsewhere for bespoke REST APIs.
sure, auth header is fine, at least from a security perspective, since
you normally don't get the tokens in logfiles. You do run into trouble
with maximum size, but that's typically configurable AFAIU.
Auth header is also the only type that a resource server MUST support
(unfortunately) although in OIDC (so the userinfo endpoint) it MUST
support all three.
Cheers,
Mischa
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4521 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190527/d29e85f8/attachment.bin>
More information about the openid-specs-rande
mailing list