Security considerations re large access tokens

Issue #273 new
Dave Tonge created an issue

A question has been raised about whether there any maximum lengths for access tokens.

There doesn’t seem to be anything in any of the underlying specs, however if tokens exceed 8k then they may be rejected by most standard web servers. Best practice seems to be to limit header size to prevent DDOS attacks.

Do we need anything in FAPI on this?

Comments (3)

  1. Joseph Heenan goes out of it’s way to avoid adding any guidance beyond “it’s up to the AS”:

       client should avoid making assumptions about value sizes.  The
       authorization server SHOULD document the size of any value it issues.

    JWT access tokens can presumably get fairly large, I’d imagine 1024 bytes is not unheard of. doesn’t appear to have anything to say on length from a quick scan.

    I’m not necessarily sure we need any guidance. What would the guidance say?

  2. Dave Tonge reporter

    We discussed on adding something about this to the advice document.

    • Latency / performance issues
    • Data minimisation issues

  3. Log in to comment