openid / fapi / issues / #273 - Security considerations re large access tokens — Bitbucket

Issue #273 open

Dave Tonge created an issue 2019-10-23

A question has been raised about whether there any maximum lengths for access tokens.

There doesn’t seem to be anything in any of the underlying specs, however if tokens exceed 8k then they may be rejected by most standard web servers. Best practice seems to be to limit header size to prevent DDOS attacks.

Do we need anything in FAPI on this?

‌

Comments (4)

Joseph Heenan
https://tools.ietf.org/html/rfc6749#section-4.2.2 goes out of it’s way to avoid adding any guidance beyond “it’s up to the AS”:
```
 The
   client should avoid making assumptions about value sizes.  The
   authorization server SHOULD document the size of any value it issues.
```
JWT access tokens can presumably get fairly large, I’d imagine 1024 bytes is not unheard of.

https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-02 doesn’t appear to have anything to say on length from a quick scan.

I’m not necessarily sure we need any guidance. What would the guidance say?
- 2019-10-23T12:54:50+00:00
Dave Tonge reporter
We discussed on adding something about this to the advice document.
- Latency / performance issues
- Data minimisation issues
‌
- 2019-10-23T14:46:55+00:00
Dave Tonge reporter
- changed component to Implementation & Deployment Advice
- assigned issue to
  
  Dave Tonge
- 2019-10-23T14:47:37+00:00
Nat Sakimura
- changed status to open
@Dave Tonge , could you update the status on this ticket?
- 2022-12-14T14:47:22+00:00
Log in to comment

Assignee: Dave Tonge

Type: enhancement

Priority: major

Status: open

Component: Implementation & Deployment Advice

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!