<div dir="ltr">Ok, thanks everyone :)<div><br></div><div>Our current example tokens get up to 1200b without signing information so this quickly becomes a real issue if the 2kb restriction is hit. I *think* (could be wrong!) in our case we wouldn't be putting tokens directly in a URL. </div><div><br></div><div>Cheers,</div><div>Hannah</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 23 May 2019 at 19:44, Roland Hedberg <<a href="mailto:roland@catalogix.se">roland@catalogix.se</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">I heard a while ago (actually last week) that there where implementations<div>out there in the wild that had problems with anything bigger the 2kb.</div><div><br></div><div>So, it’s a real world problem. And I think where it really hits is when the JWT </div><div>is part of a URL. Like when you have an id_token_hint in an authorisation request.</div><div><br></div><div><div><blockquote type="cite"><div>On 23 May 2019, at 18:45, Mischa Salle <<a href="mailto:msalle@nikhef.nl" target="_blank">msalle@nikhef.nl</a>> wrote:</div><br class="gmail-m_-6664890692775380807Apple-interchange-newline"><div><div>Hi,<br><br>just to forward what I also wrote on the WLCG AuthZ WG mailing list:<br><br><blockquote type="cite">just a small note on the token size, also keep in mind that they are<br>(typically) transported as JWT with signature and header and that you<br>can remove some whitespace. All kinds of things that might influence the<br>size. The size limitation might have to do with their use as bearer<br>tokens, meaning they're (often) put in a Authorization header, see the<br>OAuth2 bearer token RFC <a href="https://tools.ietf.org/html/rfc6750" target="_blank">https://tools.ietf.org/html/rfc6750</a><br>which might or might not be such a good idea...<br></blockquote><br>headers have no strict maximum size, but are often limited to 4kB or<br>8kB in webservers (although usually can also be increased).<br><br>Where did you get the 2k limitation?<br><br>Cheers,<br>Mischa<br><br><br><br>On Thu, May 23, 2019 at 04:36:10PM +0000, Nick Roy wrote:<br><blockquote type="cite">I found this thread, may be useful:<br><br><a href="https://stackoverflow.com/questions/26033983/what-is-the-maximum-size-of-jwt-token" target="_blank">https://stackoverflow.com/questions/26033983/what-is-the-maximum-size-of-jwt-token</a><br><br>Nick<br><br>On 23 May 2019, at 9:41, Hannah Short wrote:<br><br><blockquote type="cite">Hi everyone,<br><br>I'm wondering whether anyone can clarify why there is a recommended limit<br>of 2kb for OIDC tokens? Is this a limitation in a common library, or a<br>length restriction of HTTP Headers, for example?<br><br>Cheers,<br>Hannah<br>-- <br>openid-specs-rande mailing list<br><a href="mailto:openid-specs-rande@lists.openid.net" target="_blank">openid-specs-rande@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-rande" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-rande</a><br></blockquote></blockquote><br><br><br><blockquote type="cite">-- <br>openid-specs-rande mailing list<br><a href="mailto:openid-specs-rande@lists.openid.net" target="_blank">openid-specs-rande@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-rande" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-rande</a><br></blockquote><br><br>-- <br>Nikhef Room H155<br>Science Park 105 Tel. +31-20-592 5102<br>1098 XG Amsterdam Fax +31-20-592 5155<br>The Netherlands <a href="mailto:msalle@nikhef.nl" target="_blank">Email msalle@nikhef.nl</a><br> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..<br>-- <br>openid-specs-rande mailing list<br><a href="mailto:openid-specs-rande@lists.openid.net" target="_blank">openid-specs-rande@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-rande" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-rande</a><br></div></div></blockquote></div><br><div>
<div dir="auto" style="overflow-wrap: break-word;"><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">— Roland</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter. -Thomas Jefferson, third US president, architect, and author (1743-1826) </div></div>
</div>
<br></div></div>-- <br>
openid-specs-rande mailing list<br>
<a href="mailto:openid-specs-rande@lists.openid.net" target="_blank">openid-specs-rande@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-rande" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-rande</a><br>
</blockquote></div>