The generated token is too large

s_narayanan · January 6, 2018, 3:03pm

Currently I have integrated Auth0 into an SPA using Database Password provider and things are working fine. I just added a social provider and when I try to login I am getting the below error.

error=invalid_request
error_description=The generated token is too large. Try with more specific scopes.

Can somebody please help?

jmangelo · January 8, 2018, 6:35pm

A SPA will likely be using the implicit grant which means by default issued tokens are included directly in the URL as part of the fragment component (the part after the #). Given URL’s are limited in size by browsers the service will error out with an explicit message if the generated token is likely to hit browser limits (the explicit error is better than whatever silent failure you could get from the browser not correctly handling the full URL).

Having said that this logic is unlikely to be an issue unless you’re including vast amounts of information in the issued token. The first thing to make sure is that you’re performing OIDC compliant authentication as that would mean only OIDC standard information is included in the issued ID token and that will significantly decrease the chances of hitting this error. In addition, ensure that if you’re including custom claims in the issued tokens then that the information you’re including is sufficiently small.

Finally, even ensuring the above two points may note address the situation if the issue is caused by a social provider that returns a vast amount of information in one of the OIDC standard fields. In that situation you may need to request scopes that don’t trigger the inclusion of such information in the issued tokens.

iwatson · June 28, 2018, 4:57pm

Hello jmangelo,

Your article was most informative. Thank you.

I’ve been struggling with this issue for months. Eventually I managed to catch a screen shot of the actual error message before is disappeared from my URL bar.

I’m using Facebook as a social provider. Which used to work beautifully…until it didn’t

Please could you please point me in the right direction here. Is this done through Facebook themselves, or is it an Auth0 setting?

Any pointers will be greatly appreciated. You’re already a life saver.

Ian Watson

iwatson · July 1, 2018, 10:33pm

Hello jmangelo,

Ohhhhh, I see. Thank you.

After fiddling a bit, I realised that one limits the scope in the options of the lock widget.

I used:

auth: {
	responseType: 'token',		
	params: {
            scope: 'openid'
	}
}

And my problem is solved.

Regards,

Ian Watson

system · July 16, 2019, 12:48pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Saltuk · May 25, 2021, 2:59pm

It is important to note that this limitation is for the implicit grant only where Auth0 returns the tokens in the hash fragment during the app callback redirect. The limitation helps to avoid hard to troubleshoot URL limits imposed by some browsers.

Our SPA samples are now using the auth0-spa-js library. This library has implemented the authorization code with PKCE. The token exchange happens with XML HTTP requests; hence there isn’t a token size limitation needed.