We’re in the midst of upgrading from lock 10 to 11 and have run into an issue with receiving our tokens.
We have some users who have a large profile/app_metadata (users who belong to a lot of groups and who have a lot of permissions) and when they try to log in we’re returned with the error “generated token is too large”
We were not experiencing this issue with lock 10 and have only run into it since moving to lock 11.
We’ve noted the post here that addresses the same error though in a different context and not in relation to migrating from lock 10 to 11.
We have a react/redux web-app that talks to an API where we decode the JWT to check user permissions. We’re currently using the id-token with the Auth0 Authorization Extension to include the users permissions. Our desire is to maintain this model so that we can avoid having to query Auth0 with each API request to check a users permissions.
We have two queries we’re hoping for some help to answer:
- Is the error we’re getting a new restriction with Lock 11 or is it a bug?
- If we can’t keep the id-token (or add the claims to the access-token) because the resulting tokens are too large is our only option to check user permissions with Auth0 upon each API request? Or might there be another approach? Could we get the signed id-token in another request where there isn’t a size restriction?