We are running into problem with JWT token length as exchange in URL given our payload.
We have added a number of custom claims which adds to to the size, especially repeating the namespace.
We have experienmented with shorter (unique random) name spaces and we have observed different behavior of
Auth0 when it comes to rules and final idToken.
In existing US tenant we can use a shorter 10 character random name.
In exiting EU tenant we cannot unless we prefix it with either
https:// why is there a requirement for using up to 6 extra characters in EU for namespaces?
In other words in EU we have to use
While in US we can use
We have checked the OpenId requirments and there is no requirement that a namespace has to be prefixed with extra http or https.
Where is this requirement coming from? Why is it applied differently across tenant? Can it be removed?
Here are the details from OpenId:
5.1.2. Additional Claims
While this specification defines only a small set of Claims as standard Claims, other Claims MAY be used in conjunction with the standard Claims. When using such Claims, it is RECOMMENDED that collision-resistant names be used for the Claim Names, as described in the JSON Web Token (JWT) [JWT] specification. Alternatively, Private Claim Names can be safely used when naming conflicts are unlikely to arise, as described in the JWT specification. Or, if specific additional Claims will have broad and general applicability, they can be registered with Registered Claim Names, per the JWT specification.