Security considerations re large access tokens
Issue #273
open
A question has been raised about whether there any maximum lengths for access tokens.
There doesn’t seem to be anything in any of the underlying specs, however if tokens exceed 8k then they may be rejected by most standard web servers. Best practice seems to be to limit header size to prevent DDOS attacks.
Do we need anything in FAPI on this?
Comments (4)
-
-
reporter We discussed on adding something about this to the advice document.
- Latency / performance issues
- Data minimisation issues
-
reporter - changed component to Implementation & Deployment Advice
-
assigned issue to
-
- changed status to open
@Dave Tonge , could you update the status on this ticket?
- Log in to comment
https://tools.ietf.org/html/rfc6749#section-4.2.2 goes out of it’s way to avoid adding any guidance beyond “it’s up to the AS”:
JWT access tokens can presumably get fairly large, I’d imagine 1024 bytes is not unheard of.
https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-02 doesn’t appear to have anything to say on length from a quick scan.
I’m not necessarily sure we need any guidance. What would the guidance say?