<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I heard a while ago (actually last week) that there where implementations<div class="">out there in the wild that had problems with anything bigger the 2kb.</div><div class=""><br class=""></div><div class="">So, it’s a real world problem. And I think where it really hits is when the JWT </div><div class="">is part of a URL. Like when you have an id_token_hint in an authorisation request.</div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On 23 May 2019, at 18:45, Mischa Salle <<a href="mailto:msalle@nikhef.nl" class="">msalle@nikhef.nl</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi,<br class=""><br class="">just to forward what I also wrote on the WLCG AuthZ WG mailing list:<br class=""><br class=""><blockquote type="cite" class="">just a small note on the token size, also keep in mind that they are<br class="">(typically) transported as JWT with signature and header and that you<br class="">can remove some whitespace. All kinds of things that might influence the<br class="">size. The size limitation might have to do with their use as bearer<br class="">tokens, meaning they're (often) put in a Authorization header, see the<br class="">OAuth2 bearer token RFC <a href="https://tools.ietf.org/html/rfc6750" class="">https://tools.ietf.org/html/rfc6750</a><br class="">which might or might not be such a good idea...<br class=""></blockquote><br class="">headers have no strict maximum size, but are often limited to 4kB or<br class="">8kB in webservers (although usually can also be increased).<br class=""><br class="">Where did you get the 2k limitation?<br class=""><br class="">Cheers,<br class="">Mischa<br class=""><br class=""><br class=""><br class="">On Thu, May 23, 2019 at 04:36:10PM +0000, Nick Roy wrote:<br class=""><blockquote type="cite" class="">I found this thread, may be useful:<br class=""><br class=""><a href="https://stackoverflow.com/questions/26033983/what-is-the-maximum-size-of-jwt-token" class="">https://stackoverflow.com/questions/26033983/what-is-the-maximum-size-of-jwt-token</a><br class=""><br class="">Nick<br class=""><br class="">On 23 May 2019, at 9:41, Hannah Short wrote:<br class=""><br class=""><blockquote type="cite" class="">Hi everyone,<br class=""><br class="">I'm wondering whether anyone can clarify why there is a recommended limit<br class="">of 2kb for OIDC tokens? Is this a limitation in a common library, or a<br class="">length restriction of HTTP Headers, for example?<br class=""><br class="">Cheers,<br class="">Hannah<br class="">-- <br class="">openid-specs-rande mailing list<br class="">openid-specs-rande@lists.openid.net<br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></blockquote></blockquote><br class=""><br class=""><br class=""><blockquote type="cite" class="">-- <br class="">openid-specs-rande mailing list<br class=""><a href="mailto:openid-specs-rande@lists.openid.net" class="">openid-specs-rande@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></blockquote><br class=""><br class="">-- <br class="">Nikhef Room H155<br class="">Science Park 105 Tel. +31-20-592 5102<br class="">1098 XG Amsterdam Fax +31-20-592 5155<br class="">The Netherlands <a href="mailto:msalle@nikhef.nl" class="">Email msalle@nikhef.nl</a><br class=""> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..<br class="">-- <br class="">openid-specs-rande mailing list<br class=""><a href="mailto:openid-specs-rande@lists.openid.net" class="">openid-specs-rande@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></div></div></blockquote></div><br class=""><div class="">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">— Roland</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">Were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter. -Thomas Jefferson, third US president, architect, and author (1743-1826) </div></div>
</div>
<br class=""></div></body></html>